Simple VPN issues



  • Hello-

    Once in a while I do receive from customers that they cannot connect to VPN throught PFsense of they are just kicked off. I tried to use my VPN through it and worked fine always. Normally they use the cisco client VPN. However this morning I have a different issue the customer is trying to run transactions throught "cyber source" I am not sure what it is. He is able to connect and do CC transactions however after some time it just kicks him out. I check the AP closed to it and it was up and running however rebooted the AP restarted the Pfsense box. Disabled the captive portal no use.

    Finally I though of dual WAN connections which I am using at this property. There are two WAN and through a firewall rule they are balanced to each other for bandwidth. Is there a possibility that the client may be connected to one WAN IP and after some time due to the load balancing feature it was shifted to second WAN IP and may be disconnected from the secure connection or the cyber space whatever. Is that what causing it? Any ideas why I am having issues with VPN and secure connection on this property. I am not blocking or there are no other firewalls or rules here. Also the only option which is set by default is block private networks or block bogon networks which I thin should not block any thing legitimate.

    If dual WAN is causing customer to drop secure connections or VPN connections then I will disable this feature and will have the owner of the property order a single high speed internet connection. Please help. thanks



  • You mean there are hosts on the LAN site of pfsense and they connect to a VPN provider on the internet ?
    So you mean outgoing VPN traffic ?

    For outgoing VPN there shouldn't be a problem with LoadBalancing. LoasBalancing just balances different connections in round robin.
    But if the customer opens a VPN tunnel then the connection is established through one WAN. And after that the VPN connection does not switch because it is a still alive connecting which will have still a state in the firewall state table.

    And the traffic from the host will just pass the tunnel and so will not affect the LoadBalancing I think.

    On OpenVPN there is the option that a client can send keepalive packets every x seconds to check if the destination is still available. This will create some traffic and could help you to keep the VPN tunnel and the according firewall state alive.



  • Thank you very much for your reply

    If its not the dual WAN Load balancer then it must be captive portal hard time out or no activity time out. I guess if they are inactive for some reason they are kicked off from the network. That's what I can guess. I have disabled captive portal and have not heard any complaints afterwards.

    thanks again



  • Hard Timeout will kick the user - not matter if there is traffic or not.



  • Many https sites have trouble with loadbalancing. For security reasons they assume that when a session is suddenly change source ip, it must be "hacked".

    it is allways a good idea to create a seperate gateway group in failover-mode for all https traffic, this will reduce trouble with financial transactions


Log in to reply