Trouble getting VPN connection to work across pfsense

  • I am trying to use a cisco VPN client (vpnc) across the pfsense firewall to get to our corporate headquarters.  TCP connections (windows client) work fine,  but the UDP connections that vpnc uses just don't seem to work.  I was seeing the packets getting blocked in the firewall log (said it was "Default block all just to be sure"), so I added a WAN allow rule to the rules for any traffic from the VPN server IP.  After this, the traffic was still getting blocked in the log, but then it said "anchor miniupnpd" was the rule blocking it.  I turned on miniupnpd, and now although nothing shows up in the firewall log about the traffic being blocked, it still isn't getting through (I have packet logged on both sides).  Seeing no improvement I turned miniupnpd off again and the traffic blocking still doesn't seem to be logging.  Very odd.  I am using automatic outbound rules, and have all LAN outgoing traffic allowed.  My packets from the inside are getting out, but the responses aren't getting allowed back in.

    Can anyone offer any suggestions?  I have been tearing my hair out over this for most of this afternoon.  This was working after the initial install of pfSense, but something seems to have broken it.


  • Are you allowing fragmented packets on your LAN rule(s)?

  • Is there an option for fragmented packets under pfSense?  I found reference to this option in monowall but I can't find it in my setup.

    Oddly enough when I came in this morning (after a weekend of no use) I managed to connect to the VPN once… but then no longer.  It seems like some kind of state issue... but deleting all states tied to my machine and the VPN concentrator on the other end doesn't make it work again.

    Any more ideas?  I'm considering just reinstalling pfsense on the machine at this point.


  • We are still having issues with this.  We reinstalled pfsense but the problem continues.  Basically VPN over UDP is erratic.  It works some of the time but other times does not.  It will work fine for a few days then it will stop working for a day.  One client machine may be working while another isn't.  It seems random.

    Is anyone else having a similar problem?  We have not yet upgraded to 1.2-Beta2 (still running beta1), but we might try to see if it fixes any of our issues.