Help!! Pfsense in a Hotel. Guests can't use their VPN clients



  • Hi there,

    I am trying to solve a problem with a hotel using pfsense 1.2.3 on a netgate router. I have it set up for load balancing and it works fine, but I am having issues with clients VPN connections. The Hotel's business clients have had issues trying to use vpn clients and some end up leaving because they couldn't get the vpn connections going.

    I'm sure this can't be that difficult, and I would suspect many others have had this same issue. Can someone give me a quasi-universal setup so that the hotel's clients can use their VPN's? I spent quite some time on these forums and everyone I talked with said the pfsense works great as a hotel router and so far it's been great but I need to solve this dilemma.

    Does using VPN work with load balancing? What do I need to do to ensure these clients get their vpn's working?

    Any and all help is greatly appreciated. If you have experience with this issue in a hotel environment and can resolve this issue please send me your info. I need to resolve this or get rid of the pfsense because my customer needs to be able to book in these business clients to his hotel.

    Thanks



  • What are the setups for the firewall rules on the interface that is being used for providing the internet to clients?  Is it wireless or wired? If wireless, are any of the AP's blocking vpn traffic or is the pass through enabled?  Please explain with more details.



  • Is it that they can't establish a VPN, or is it that when multiple people try and VPN to the same endpoint only the first can connect? I have seen the later situation, when many people from the same company come to the hotel and try to use IPSec clients. AFAIK, this is an issue with IPSec itself and you need to send them out different public IPs. You have to do this manually, as 1.2.3 doesn't support outbound nat to an address pool. (I think 2.0 supports it)



  • I'm not sure if it's one or everyone. I have done some reading and see there appears to be issues with ver 1.2.3. I am using that ver because of load balancing and captive portal. There was issues with ver 2.0 on load balance or captive portal, I can't remember which.

    The idea is to have a solid system that doesn't need babysitting all the time. Their clients have said they use other hotels and don't have this issue so I want to end up with the same sort of end result. Here's log messages, I have no idea what they mean.

    Mar 8 00:22:18 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 8 00:22:18 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
    Mar 8 00:22:18 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 8 00:22:18 racoon: [Self]: INFO: 24.x.x.79[500] used as isakmp port (fd=16)
    Mar 8 00:22:18 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 8 00:22:18 racoon: [Self]: INFO: 192.168.3.2[500] used as isakmp port (fd=15)
    Mar 8 00:22:18 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 8 00:22:18 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Mar 7 22:28:53 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 7 22:28:53 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
    Mar 7 22:28:53 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 7 22:28:53 racoon: [Self]: INFO: 24.x.x.79[500] used as isakmp port (fd=16)
    Mar 7 22:28:53 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 7 22:28:53 racoon: [Self]: INFO: 192.168.3.2[500] used as isakmp port (fd=15)
    Mar 7 22:28:53 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 7 22:28:53 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Mar 7 22:28:53 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 7 22:28:53 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
    Mar 7 22:28:53 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 7 22:28:53 racoon: [Self]: INFO: 24.x.x.79[500] used as isakmp port (fd=16)
    Mar 7 22:28:53 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 7 22:28:53 racoon: [Self]: INFO: 192.168.3.2[500] used as isakmp port (fd=15)
    Mar 7 22:28:53 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
    Mar 7 22:28:53 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Mar 7 22:28:53 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Mar 7 22:28:53 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Mar 7 22:28:53 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)



  • The racoon logs are from the IPSec process running on the firewall, and not related to client VPN connections. Unless you have a tunnel to somewhere, IPSec shouldn't even be enabled. I would check the 2.0 open issues and do some testing. It should do much better with VPN clients behind it than 1.2.3.



  • I had a similar problem with pfsense2, VPN (IPsec) and Load Balancing.

    I created an alias with all ports which can no (or not always) Load Balancing. This alias contains port 20,21,22,443,444, and for example 1194 (OpenVPN) and IPsec (500), IPsec ESP (4500), 1723 (PPTP).
    This are all Destination Ports in the Firewall rule and the gateway is my failover gateway and NOT the LoadBalancing gateway. This rule must be on top of the LoadBalancing rules.

    Don't know, if this works, if e.g. 20 people from one company wants to connect to one VPN server.



  • Thanks,

    I was going to use V2.0 but was warned away from it due to various issues with Captive portal and load balancing combo. They need to be able to throttle each client so everyone gets some bandwidth, and they have 2 wan connections to get the max possible throughput. I am very concerned going from a stable version 1.2.3 to possible issues with 2.0. When I was originally setting this up I started with V2.0 but had issues and defaulted back to ver 1.2.3 as this was recommended for my purposes.

    The biggest issue is trying to find out what and how to set up for 3rd party VPN's. I have done a ton of reading but most everything is about setting up OpenVPN or connectivity issues, and only some confusing info about 3rd party VPN's. I also don't know what to look at in the logs to figure out if VPN's are working or not. I assumed it was IPSec info. Is there not some info I can look at that tells me if a VPN is active? I think the VPN's need to go out the WAN link, not the OPT link, but don't know how to set up to ensure that's going to happen.



  • Thanks Nachtfalke,

    It sounds like you're using ver 2.0. As I've said I am concerned about upgrading. If I upgrade do I fix one thing at the expense of another.

    I did set up a alias that says ports 22.443.444.3389, and 8443 are all called "httpsall", and a LAN rule that says:

    TCP LAN net * * HTTPsAll load balance   HTTPsAll protocols

    I don't know if it's correct or not. I don't have a vpn client so I have to guess at this stuff, which I hate doing.

    Below is the load balance info. The 192.168.3.1 goes to a second router, and that goes to a second Wan address. It's required because the load balance can't use 2 addresses from the same network. Load balance seems to work fine and I see traffic on both WAN ports.




  • I have updated httpsall so that it uses Wan2 failover wan1. I think that's correct. Time will tell. I don't know if I should add additional ports or not to the httpsall alias.



  • Hi,

    I am not to sure, how you have to set up fireall rules in 1.2.3 because, like you mentioned, I am using 2.0 RC-1.

    But in the rule you have to set:
    protocol: tcp/udp
    source port: any
    source address: any (or LAN Subnet)
    destination port: HTTPSall
    destination address: any
    GATEWAY: WAN1 Failover OR WAN2 Failover

    But I would add the IPsec (500), ESP (4500), OpenVPN (1194) and PPTP (1723) ports to your Alias httpsall, too. You could have a look at wikipedia and VPN and find out, which method is using which port and then add it to https.

    Like your alias is looking at the moment, ther will be no difference for VPN connections than without an Alias.


Log in to reply