NAT? OpenVPN? not sure what i need help with here..



  • Not sure which sub forum to write this so will do it here.  THis has something to do with either NAT, OpenVPN or ESXi i think..

    I have Open VPN on my pfSense box, with which i remotely connect from home to the office.  Open VPN DHCP's me a 192.18.0.0/24 IP when i connect.  My LAN in teh office is 10.0.0.0/19 and i have already put this subnet is as an allowed or whatever that is called.

    Here is the problem. My pfSense is a VM on ESXi 5.  The LAN ip is 10.0.0.1.   I have other VM's on the same server, that are on the same subnet.  Here is where it gets weird and i am not sure what else i need to do.  If i connect via OpenVPN and try to connect to any of the web interface's for other VM'son the server, for example my Radius GUI is on 10.0.0.6, and my Ubiquiti AirControl is on 10.0.0.6:9080 i am able to connect no problems, BUT when i try and connect to any of my Routers or AP's (WiSP)  which are on the same subnet, 10.0.0.50 for example, it will not connect. It just sits there loading and goes nowhere.  When in the office connecting to these devices is not a problem.

    Any ideas?



  • Anyone got any ideas here?



  • Bumping this as i really need to try and solve this..



  • @luke240778:

    Anyone got any ideas here?

    More information might provoke an inspired insight.

    1. Have you tested basic connectivity? What happens if you ping a host that you can't connect to? How is the output from traceroute to host that doesn't respond to web access different from traceroute to a host that does respond to web access?

    2. Do the hosts that don't respond to web access allow access from your 192.168.0.0/24 network?



  • Thanks for the reply.  Question 1 i will get back to you when i am outside the network again to test this. Question 2 woud be a no, as this is teh whole reason that it seems to be having.  Those hosts i can access from internet but not when connected over VPN. BUT, they are on the same subnet that is allowed through VPN, and as i said i can access the ones that are on the same server.  So for example, i can connect to 10.0.0.6 whish is a VM on the same machine as my pfsense, but i cannot connect to 10.0.0.10 which is a wireless router on the network.



  • My thinking was that the web server configuration on 10.0.0.10 might not allow access from 192.168.0.0/24,

    Does the routing provide a path for the web access to get to 10.0.0.10?

    If yes, does the web server on 10.0.0.10 allow access from the VPN? (Various servers can be configured to restrict access from particular IP addresses.) Maybe the box has some firewall capability that allows it to restrict access from various IP addresses

    Does the server log access attempts? If not, can it be configured to do so?



  • @wallabybob:

    @luke240778:

    Anyone got any ideas here?

    More information might provoke an inspired insight.

    1. Have you tested basic connectivity? What happens if you ping a host that you can't connect to? How is the output from traceroute to host that doesn't respond to web access different from traceroute to a host that does respond to web access?

    2. Do the hosts that don't respond to web access allow access from your 192.168.0.0/24 network?

    Pinging to the devices i can connect to is normal, the others just time out.  Same with traceroute.



  • @wallabybob:

    My thinking was that the web server configuration on 10.0.0.10 might not allow access from 192.168.0.0/24,

    Does the routing provide a path for the web access to get to 10.0.0.10?

    If yes, does the web server on 10.0.0.10 allow access from the VPN? (Various servers can be configured to restrict access from particular IP addresses.) Maybe the box has some firewall capability that allows it to restrict access from various IP addresses

    Does the server log access attempts? If not, can it be configured to do so?

    This all actually worked on my last box, just not on this new server which the only difference is that this is a VM on ESXi.  On the old box, i didnt need to setup anything at all on the other devices.



  • @luke240778:

    Pinging to the devices i can connect to is normal, the others just time out.  Same with traceroute.

    Suggest you draw the path to one of those systems to which web access times out. How far along that route does a traceroute show responses? Perhaps you have a "problem" at the last traceroute entry or at the next hop.

    What do you see on a traceroute to your system on the VPN issued on from one of those servers to which you can't connect?



  • @wallabybob:

    @luke240778:

    Pinging to the devices i can connect to is normal, the others just time out.  Same with traceroute.

    Suggest you draw the path to one of those systems to which web access times out. How far along that route does a traceroute show responses? Perhaps you have a "problem" at the last traceroute entry or at the next hop.

    What do you see on a traceroute to your system on the VPN issued on from one of those servers to which you can't connect?

    Ok, so if i am home on my laptop connected via VPN to my pfSense (VM on ESXi) ip 10.0.0.1  i can ping another VM on that ESXi server with ip of 10.0.0.6 and tracert is fine also.  I cannot ping a AP on the same subnet  with ip of 10.0.0.10, and also qhen i do a tracert it shows:

    Tracing route to 10.0.0.10 over a maximum of 30 ho

    1    78 ms    58 ms    62 ms  192.168.0.1
      2    *        *        *    Request timed out.

    192.168.0.1 being the Open VPN IP on pfSense.

    If i go to that other VM on the same ESXi server with ip address of 10.0.0.6, i cannot ping back to my laptop (192.168.0.6) and tracert also just request timed out after the first step:

    Tracing route to 192.168.0.6 over a maximum of 30

    1    1 ms    <1 ms    <1 ms  pfsense.mutioffice
      2    *        *        *    Request timed out.

    Attached is screenshot showing where i allowed access to the whole 10.0.0.0 subnet.. which in the past worked fine..




  • Sounds like routing on the devices, possibly the devices you can't get to don't have a default gateway or have a wrong default gateway.



  • @cmb:

    Sounds like routing on the devices, possibly the devices you can't get to don't have a default gateway or have a wrong default gateway.

    No, they all have 10.0.0.1 as their default gateway, this is correct.  Plus it works inside the netowrk fine, only over the VPN connection it isn't working any more…



  • @luke240778:

    Plus it works inside the netowrk fine, only over the VPN connection it isn't working any more…

    Which is exactly why it sounds like the default gateway, it has no relevance inside the network.

    Time to packet capture to trace what's getting where. Start with the OpenVPN interface on the box terminating the VPN, see if it's getting there. Then the LAN on that box. Then the destination host. Where do you see it and where do you not?



  • umm.. you have lost me now.. don't really understand how to do what you are asking..

    Are you saying packet capture from Pfsense VPN interface to my laptop when connected over vpn?



  • Diag>Packet capture, first on the OpenVPN interface. If you see the traffic there, move to the LAN interface. If you see the traffic there, it's being passed to the internal device and it's not responding, or not routing the response back to where it needs to go.



  • Seeing that all this works on the internal network i am guessing that you are meaning to do this from the webgui on my laptop when connected via vpn?



  • @luke240778:

    Seeing that all this works on the internal network i am guessing that you are meaning to do this from the webgui on my laptop when connected via vpn?

    yes. You need to track where the traffic is and where it isn't.



  • I have no idea how to decifer this. The following is the results of a Packet capture whilst logged in via vpn, with webgui on my laptop.  Whilst capturing packets on the VPN interface i logged into GUI of 10.0.0.6:9080 which does work, then i tried to login to 10.0.0.50 which doesnt work, here are the results:

    
    08:43:40.220332 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.220369 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.474768 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.474796 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.474817 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.553582 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.553609 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.553620 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.553640 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.553649 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.620242 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.620264 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.620274 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.620307 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.620321 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.620329 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.681075 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.681099 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 964
    08:43:40.685290 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.778857 IP 192.168.0.6.58366 > 10.0.0.1.443: tcp 0
    08:43:40.778926 IP 10.0.0.1.443 > 192.168.0.6.58366: tcp 0
    08:43:40.792469 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 650
    08:43:40.792497 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 0
    08:43:40.792929 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 410
    08:43:40.793149 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.793157 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 194
    08:43:40.794920 IP 192.168.0.6.58367 > 10.0.0.1.443: tcp 0
    08:43:40.794954 IP 10.0.0.1.443 > 192.168.0.6.58367: tcp 0
    08:43:40.797519 IP 192.168.0.6.58368 > 10.0.0.1.443: tcp 0
    08:43:40.797548 IP 10.0.0.1.443 > 192.168.0.6.58368: tcp 0
    08:43:40.800607 IP 192.168.0.6.58369 > 10.0.0.1.443: tcp 0
    08:43:40.800635 IP 10.0.0.1.443 > 192.168.0.6.58369: tcp 0
    08:43:40.803740 IP 192.168.0.6.58370 > 10.0.0.1.443: tcp 0
    08:43:40.803768 IP 10.0.0.1.443 > 192.168.0.6.58370: tcp 0
    08:43:40.832265 IP 192.168.0.6.58366 > 10.0.0.1.443: tcp 0
    08:43:40.840876 IP 192.168.0.6.58366 > 10.0.0.1.443: tcp 355
    08:43:40.840899 IP 10.0.0.1.443 > 192.168.0.6.58366: tcp 0
    08:43:40.841207 IP 10.0.0.1.443 > 192.168.0.6.58366: tcp 145
    08:43:40.851404 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.854675 IP 192.168.0.6.58367 > 10.0.0.1.443: tcp 0
    08:43:40.857383 IP 192.168.0.6.58368 > 10.0.0.1.443: tcp 0
    08:43:40.866048 IP 192.168.0.6.58367 > 10.0.0.1.443: tcp 355
    08:43:40.866067 IP 10.0.0.1.443 > 192.168.0.6.58367: tcp 0
    08:43:40.866309 IP 10.0.0.1.443 > 192.168.0.6.58367: tcp 145
    08:43:40.874166 IP 192.168.0.6.58368 > 10.0.0.1.443: tcp 355
    08:43:40.874185 IP 10.0.0.1.443 > 192.168.0.6.58368: tcp 0
    08:43:40.874409 IP 10.0.0.1.443 > 192.168.0.6.58368: tcp 145
    08:43:40.887045 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 650
    08:43:40.887070 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 0
    08:43:40.887394 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 410
    08:43:40.887518 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 442
    08:43:40.888921 IP 192.168.0.6.58369 > 10.0.0.1.443: tcp 0
    08:43:40.897584 IP 192.168.0.6.58369 > 10.0.0.1.443: tcp 355
    08:43:40.897601 IP 10.0.0.1.443 > 192.168.0.6.58369: tcp 0
    08:43:40.897848 IP 10.0.0.1.443 > 192.168.0.6.58369: tcp 145
    08:43:40.900215 IP 192.168.0.6.58370 > 10.0.0.1.443: tcp 0
    08:43:40.908639 IP 192.168.0.6.58370 > 10.0.0.1.443: tcp 355
    08:43:40.908658 IP 10.0.0.1.443 > 192.168.0.6.58370: tcp 0
    08:43:40.908965 IP 10.0.0.1.443 > 192.168.0.6.58370: tcp 145
    08:43:40.912101 IP 192.168.0.6.58366 > 10.0.0.1.443: tcp 59
    08:43:40.912125 IP 10.0.0.1.443 > 192.168.0.6.58366: tcp 0
    08:43:40.914679 IP 192.168.0.6.58366 > 10.0.0.1.443: tcp 0
    08:43:40.914696 IP 10.0.0.1.443 > 192.168.0.6.58366: tcp 0
    08:43:40.914785 IP 10.0.0.1.443 > 192.168.0.6.58366: tcp 37
    08:43:40.914866 IP 10.0.0.1.443 > 192.168.0.6.58366: tcp 0
    08:43:40.918111 IP 192.168.0.6.58371 > 10.0.0.1.443: tcp 0
    08:43:40.918173 IP 10.0.0.1.443 > 192.168.0.6.58371: tcp 0
    08:43:40.934110 IP 192.168.0.6.58367 > 10.0.0.1.443: tcp 59
    08:43:40.934132 IP 10.0.0.1.443 > 192.168.0.6.58367: tcp 0
    08:43:40.936914 IP 192.168.0.6.58367 > 10.0.0.1.443: tcp 0
    08:43:40.936933 IP 10.0.0.1.443 > 192.168.0.6.58367: tcp 0
    08:43:40.937021 IP 10.0.0.1.443 > 192.168.0.6.58367: tcp 37
    08:43:40.937100 IP 10.0.0.1.443 > 192.168.0.6.58367: tcp 0
    08:43:40.939954 IP 192.168.0.6.58372 > 10.0.0.1.443: tcp 0
    08:43:40.939981 IP 10.0.0.1.443 > 192.168.0.6.58372: tcp 0
    08:43:40.943981 IP 192.168.0.6.58368 > 10.0.0.1.443: tcp 59
    08:43:40.944002 IP 10.0.0.1.443 > 192.168.0.6.58368: tcp 0
    08:43:40.946679 IP 192.168.0.6.58368 > 10.0.0.1.443: tcp 0
    08:43:40.946699 IP 10.0.0.1.443 > 192.168.0.6.58368: tcp 0
    08:43:40.946787 IP 10.0.0.1.443 > 192.168.0.6.58368: tcp 37
    08:43:40.946866 IP 10.0.0.1.443 > 192.168.0.6.58368: tcp 0
    08:43:40.949645 IP 192.168.0.6.58373 > 10.0.0.1.443: tcp 0
    08:43:40.949674 IP 10.0.0.1.443 > 192.168.0.6.58373: tcp 0
    08:43:40.952678 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 0
    08:43:40.966107 IP 192.168.0.6.58365 > 10.0.0.1.443: tcp 666
    08:43:40.966127 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 0
    08:43:40.966429 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 410
    08:43:40.966727 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.966738 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.966747 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.966754 IP 10.0.0.1.443 > 192.168.0.6.58365: tcp 1368
    08:43:40.969046 IP 192.168.0.6.58369 > 10.0.0.1.443: tcp 59
    08:43:40.969071 IP 10.0.0.1.443 > 192.168.0.6.58369: tcp 0
    08:43:40.971619 IP 192.168.0.6.58369 > 10.0.0.1.443: tcp 0
    08:43:40.971637 IP 10.0.0.1.443 > 192.168.0.6.58369: tcp 0
    08:43:40.971725 IP 10.0.0.1.443 > 192.168.0.6.58369: tcp 37
    08:43:40.971805 IP 10.0.0.1.443 > 192.168.0.6.58369: tcp 0
    08:43:40.974678 IP 192.168.0.6.58374 > 10.0.0.1.443: tcp 0
    08:43:40.974718 IP 10.0.0.1.443 > 192.168.0.6.58374: tcp 0
    08:43:40.978690 IP 192.168.0.6.58370 > 10.0.0.1.443: tcp 59
    
    

    Then i did the exact same with teh LAN interfece selected in Packet Capture:

    
    08:49:36.443728 IP 10.0.10.13.1146 > 74.125.234.26.80: tcp 0
    08:49:36.443862 IP 10.0.10.13.1147 > 23.15.7.8.80: tcp 0
    08:49:36.443953 IP 188.80.185.138.62889 > 10.0.10.103.16847: UDP, length 20
    08:49:36.448148 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.455238 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.457012 IP 213.39.219.30.4662 > 10.0.10.50.59415: tcp 0
    08:49:36.458080 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.458087 IP 200.159.128.189.80 > 10.0.10.13.1149: tcp 1460
    08:49:36.458095 IP 23.15.7.8.80 > 10.0.10.13.1147: tcp 0
    08:49:36.460162 IP 10.0.10.103.8786 > 186.249.137.109.2108: UDP, length 965
    08:49:36.466676 IP 10.0.12.120.6907 > 190.18.42.143.33977: UDP, length 34
    08:49:36.468096 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.474899 IP 10.0.10.103.20761 > 186.249.137.109.27207: UDP, length 100
    08:49:36.477753 IP 74.125.234.26.80 > 10.0.10.13.1150: tcp 857
    08:49:36.478076 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.482616 IP 10.0.0.1.443 > 10.0.0.6.2364: tcp 442
    08:49:36.482646 IP 10.0.0.1.443 > 10.0.0.6.2364: tcp 74
    08:49:36.482679 IP 10.0.0.1.443 > 10.0.0.6.2364: tcp 314
    08:49:36.482705 IP 10.0.0.1.443 > 10.0.0.6.2364: tcp 74
    08:49:36.483206 IP 10.0.0.6.2364 > 10.0.0.1.443: tcp 0
    08:49:36.483232 IP 10.0.0.6.2364 > 10.0.0.1.443: tcp 0
    08:49:36.484313 IP 121.138.153.155.4284 > 10.0.0.6.3389: tcp 592
    08:49:36.484423 IP 10.0.0.1.443 > 10.0.0.6.2364: tcp 74
    08:49:36.484842 IP 10.0.0.6.3389 > 121.138.153.155.4284: tcp 48
    08:49:36.484884 IP 10.0.0.6.3389 > 121.138.153.155.4284: tcp 52
    08:49:36.484970 IP 10.0.0.6.3389 > 121.138.153.155.4284: tcp 52
    08:49:36.488108 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.496057 IP 10.0.10.76.2638 > 74.125.36.1.80: tcp 1460
    08:49:36.496120 IP 74.125.36.1.80 > 10.0.10.76.2638: tcp 0
    08:49:36.498082 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.498207 IP 65.54.49.31.1863 > 10.0.10.103.1655: tcp 0
    08:49:36.503303 IP 10.0.10.76.2638 > 74.125.36.1.80: tcp 667
    08:49:36.503339 IP 74.125.36.1.80 > 10.0.10.76.2638: tcp 0
    08:49:36.508849 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.513544 08:10:74:75:8b:e6 > ff:ff:ff:ff:ff:ff Null Supervisory, Receiver not Ready, rcv seq 64, Flags [Poll], length 46
    08:49:36.518056 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.524856 IP 10.0.10.103.20761 > 186.249.137.109.27207: UDP, length 13
    08:49:36.528048 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.535349 IP 10.0.10.103.16847 > 89.214.218.155.46392: UDP, length 20
    08:49:36.540535 IP 10.0.10.13.1149 > 200.159.128.189.80: tcp 0
    08:49:36.540575 IP 200.159.128.189.80 > 10.0.10.13.1149: tcp 845
    08:49:36.546094 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.551686 IP 10.0.10.87.2048 > 10.0.0.1.53: UDP, length 43
    08:49:36.551859 IP 10.0.0.1.53 > 10.0.10.87.2048: UDP, length 59
    08:49:36.556023 IP 68.97.251.241.56714 > 10.0.10.91.10398: UDP, length 317
    08:49:36.556318 IP 10.0.10.50.7381 > 109.13.253.161.4259: UDP, length 37
    08:49:36.558091 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.558098 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.561155 IP 190.192.131.27.24060 > 10.0.12.120.6907: UDP, length 144
    08:49:36.566046 ARP, Request who-has 10.0.0.1 tell 10.0.10.184, length 46
    08:49:36.566071 ARP, Reply 10.0.0.1 is-at 00:0c:29:82:6d:ef, length 28
    08:49:36.567481 IP 74.53.32.202.25 > 10.0.10.87.3655: tcp 0
    08:49:36.568093 IP 74.53.32.202.25 > 10.0.10.87.3655: tcp 188
    08:49:36.569691 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.572617 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.575827 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.580025 IP 10.0.10.76.2645 > 74.125.234.13.80: tcp 0
    08:49:36.580074 IP 74.125.234.13.80 > 10.0.10.76.2645: tcp 0
    08:49:36.580081 IP 10.0.10.87.3657 > 74.53.32.202.21: tcp 0
    08:49:36.588040 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.588057 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.588206 IP 10.0.10.91.10398 > 176.51.202.30.25087: UDP, length 106
    08:49:36.597640 IP 10.0.10.87.3655 > 74.53.32.202.25: tcp 44
    08:49:36.598105 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.600253 IP 10.0.0.6.2364 > 10.0.0.1.443: tcp 0
    08:49:36.608048 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.608079 IP 10.0.10.103.8786 > 186.249.137.109.2108: UDP, length 521
    08:49:36.612458 IP 10.0.10.110.49166 > 23.21.209.61.80: tcp 0
    08:49:36.615733 IP 10.0.12.120.6907 > 108.224.81.95.24488: UDP, length 34
    08:49:36.616768 IP 10.0.10.50.59415 > 213.39.219.30.4662: tcp 1300
    08:49:36.618036 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.628035 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.630824 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.632599 IP 10.0.10.50.59415 > 213.39.219.30.4662: tcp 1300
    08:49:36.633022 IP 10.0.10.50.59417 > 186.59.67.143.34155: tcp 1300
    08:49:36.638944 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.642736 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.648083 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.648379 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.653604 IP 186.249.137.109.27777 > 10.0.10.103.15630: UDP, length 28
    08:49:36.658040 IP 186.249.137.109.27777 > 10.0.10.103.15630: UDP, length 200
    08:49:36.658047 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.668072 IP 186.249.137.109.24904 > 10.0.10.103.30340: UDP, length 208
    08:49:36.668079 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.668179 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.675874 IP 10.0.10.110.49166 > 23.21.209.61.80: tcp 0
    08:49:36.675950 IP 10.0.10.103.20761 > 186.249.137.109.27207: UDP, length 98
    08:49:36.678053 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.686379 IP 10.0.10.103.16847 > 188.80.185.138.62889: UDP, length 20
    08:49:36.688046 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.689794 IP 10.0.10.8.59964 > 62.67.7.127.80: tcp 0
    08:49:36.699153 IP 10.0.0.0 > 224.0.0.1: igmp
    08:49:36.705590 IP 74.125.36.1.80 > 10.0.10.76.2638: tcp 472
    08:49:36.708018 IP 74.125.36.1.80 > 10.0.10.76.2638: tcp 744
    08:49:36.708025 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.712886 IP 10.0.10.103.20761 > 186.249.137.109.27207: UDP, length 13
    08:49:36.714776 IP 74.53.32.202.21 > 10.0.10.87.3657: tcp 0
    08:49:36.718025 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    08:49:36.726489 IP 10.0.10.110.2048 > 10.0.0.1.53: UDP, length 34
    08:49:36.728044 IP 62.67.7.127.80 > 10.0.10.8.59964: tcp 1460
    
    


  • looks like you limited it to 100 packets, and didn't filter it by IP, so you're missing the relevant traffic there. Put in 10.0.0.50 as the address so it just sees that, 0 as the count (though it won't really matter with the filter on there), and try the same again.



  • Ok, this is all i get from that on VPN Interface:

    21:47:00.178564 IP 192.168.0.6.63111 > 10.0.0.50.80: tcp 0
    21:47:00.181121 IP 192.168.0.6.63112 > 10.0.0.50.80: tcp 0
    21:47:03.174617 IP 192.168.0.6.63111 > 10.0.0.50.80: tcp 0
    21:47:03.178406 IP 192.168.0.6.63112 > 10.0.0.50.80: tcp 0
    21:47:09.177196 IP 192.168.0.6.63111 > 10.0.0.50.80: tcp 0
    21:47:09.180098 IP 192.168.0.6.63112 > 10.0.0.50.80: tcp 0

    And this on LAN interface:

    21:49:49.935138 IP 192.168.0.6.63143 > 10.0.0.50.80: tcp 0
    21:49:49.936001 IP 10.0.0.50.80 > 192.168.0.6.63143: tcp 0
    21:49:49.936038 IP 192.168.0.6.63143 > 10.0.0.50.80: tcp 0
    21:49:49.937900 IP 192.168.0.6.63144 > 10.0.0.50.80: tcp 0
    21:49:49.938609 IP 10.0.0.50.80 > 192.168.0.6.63144: tcp 0
    21:49:49.938640 IP 192.168.0.6.63144 > 10.0.0.50.80: tcp 0
    21:49:50.187409 IP 192.168.0.6.63145 > 10.0.0.50.80: tcp 0
    21:49:50.188626 IP 10.0.0.50.80 > 192.168.0.6.63145: tcp 0
    21:49:50.188663 IP 192.168.0.6.63145 > 10.0.0.50.80: tcp 0
    21:49:52.936299 IP 192.168.0.6.63144 > 10.0.0.50.80: tcp 0
    21:49:52.939297 IP 10.0.0.50.80 > 192.168.0.6.63144: tcp 0
    21:49:52.939338 IP 192.168.0.6.63144 > 10.0.0.50.80: tcp 0
    21:49:52.940308 IP 192.168.0.6.63143 > 10.0.0.50.80: tcp 0
    21:49:52.941788 IP 10.0.0.50.80 > 192.168.0.6.63143: tcp 0
    21:49:52.941820 IP 192.168.0.6.63143 > 10.0.0.50.80: tcp 0
    21:49:53.186213 IP 192.168.0.6.63145 > 10.0.0.50.80: tcp 0
    21:49:53.187786 IP 10.0.0.50.80 > 192.168.0.6.63145: tcp 0
    21:49:53.187822 IP 192.168.0.6.63145 > 10.0.0.50.80: tcp 0
    21:49:57.932174 ARP, Request who-has 10.0.0.1 tell 10.0.0.50, length 46
    21:49:57.932202 ARP, Reply 10.0.0.1 is-at 00:0c:29:82:6d:ef, length 28
    21:49:58.935279 IP 192.168.0.6.63143 > 10.0.0.50.80: tcp 0
    21:49:58.936094 IP 10.0.0.50.80 > 192.168.0.6.63143: tcp 0
    21:49:58.936128 IP 192.168.0.6.63143 > 10.0.0.50.80: tcp 0
    21:49:58.938132 IP 192.168.0.6.63144 > 10.0.0.50.80: tcp 0
    21:49:58.939000 IP 10.0.0.50.80 > 192.168.0.6.63144: tcp 0
    21:49:58.939032 IP 192.168.0.6.63144 > 10.0.0.50.80: tcp 0
    21:49:59.187646 IP 192.168.0.6.63145 > 10.0.0.50.80: tcp 0
    21:49:59.188552 IP 10.0.0.50.80 > 192.168.0.6.63145: tcp 0
    21:49:59.188589 IP 192.168.0.6.63145 > 10.0.0.50.80: tcp 0
    21:50:03.043351 IP 10.0.0.50.32857 > 10.0.0.1.53: UDP, length 30
    21:50:03.043564 IP 10.0.0.1.53 > 10.0.0.50.32857: UDP, length 30
    21:50:03.049895 IP 10.0.0.50.32857 > 10.0.0.1.53: UDP, length 30
    21:50:03.050000 IP 10.0.0.1.53 > 10.0.0.50.32857: UDP, length 30
    21:50:03.058457 IP 10.0.0.50.32857 > 10.0.0.1.53: UDP, length 30
    21:50:03.058552 IP 10.0.0.1.53 > 10.0.0.50.32857: UDP, length 30
    21:50:03.063098 IP 10.0.0.50.32857 > 10.0.0.1.53: UDP, length 30
    21:50:03.063208 IP 10.0.0.1.53 > 10.0.0.50.32857: UDP, length 30



  • That verifies you do have connectivity, can you download that pcap and upload it somewhere, or email it to me (cmb at pfsense dot org) with a link to this thread. That looks normal but without seeing the payload it's hard to say.



  • Thanks cmb, just sent you the email.



  • The capture you just sent me looks more like what I would expect to see - no response at all. That was from the VPN interface though, try the same from LAN and send me that.



  • Just sent you capture from LAN interface



  • That last capture is much different, more like what you showed in the text output, which shows the behavior varies. Why isn't clear. What the last one shows is your client sends the SYN to open the connection, it gets a SYN ACK in response, and then it RSTs the connection. In more plain English, basically your client starts the TCP connection, the 10.0.0.50 device responds back for the next step of the handshake, and then your client says "no, close that connection". Then your client sits there for 3 seconds and repeats the exact same process. After that, it sits there for 6 seconds and repeats again.

    The order is as described, but the timing is such that I seriously doubt the client gets the SYN ACK before it sends back the RST. There is around a half ms between the SYN ACK and RST, which is far too short of a window for the client to have gotten the SYN ACK, so it seems more like the client sends then SYN, and about 10 ms later, sends the RST. The two retries have 1 ms between the SYN and RST.

    I have no idea why your client would be behaving that way, but that's the issue. Firing up Wireshark on the host itself, in the capture options put in a filter for "host 10.0.0.50" on the OpenVPN interface, and see what you get at that point would be my next troubleshooting step.


Log in to reply