Multiple OpenVPN Client connections as WAN



  • I have 2 OpenVPN Client connections on my pfsense box.
    The idea of this is to get 2 public static IPs on my PfSense box.

    WANVPN1 and WANVPN2 is 2 OpenVPN Clients configured as TAP with their interfaces assigned in the interface manager on PfSense.

    WANVPN1 is NOT set as default gateway.
    WANVPN2 IS set as default gateway.

    WANVPN1 and WANVPN2 has static IPs and gateways assigned, and both are DIFFERENT for BOTH interfaces. (2 VPN tunnels from 2 different providers)

    The following work wonderfully:
    TCP traffic initiated from LAN to WANVPN2 in both directions
    UDP traffic initiated from LAN to WANVPN2 in both directions
    TCP traffic initiated from WANVPN1 to LAN via NAT in both directions
    TCP traffic initiated from WANVPN2 to LAN via NAT in both directions

    The following is b0rked:
    UDP traffic initiated from WANVPN1 to LAN via NAT.
    UDP traffic initiated from WANVPN2 to LAN via NAT.

    Have verified with packet capture on DNS traffic. Packet capture show only the request packet on the WANVPN2 side and WANVPN1 side. On the LAN side, the packet capture show both request and response packet.

    Setting firewall to "log all" in log settings renders nothing, so its not the firewall blocking.
    What I want, is that if a UDP packet enters on WANVPN1, its reply should leave on WANVPN1. If a UDP packet enters on WANVPN2 its reply should leave on WANVPN2.
    What is the problem? Have configured manual outgoing NAT for both WANVPN1 and WANVPN2, and traffic from the inside works well both for UDP and TCP. Its only UDP from the outside that are problem.

    Here is a packet capture on the WANVPN2 interface while doing DNS requests from outside (Its same for WANVPN1):

    23:30:00.838408 00:bd:b0:91:b9:36 > 00:bd:69:41:00:03, ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto UDP (17), length 54)
       88.198.39.133.17736 > 193.13.142.178.53: [udp sum ok] 59819+ A? sebbe.eu. (26)

    23:30:05.840062 00:bd:b0:91:b9:36 > 00:bd:69:41:00:03, ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto UDP (17), length 54)
       88.198.39.133.17736 > 193.13.142.178.53: [udp sum ok] 59819+ A? sebbe.eu. (26)

    23:30:10.845169 00:bd:b0:91:b9:36 > 00:bd:69:41:00:03, ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto UDP (17), length 54)
       88.198.39.133.17736 > 193.13.142.178.53: [udp sum ok] 59819+ A? sebbe.eu. (26)

    Here is a packet capture on the LAN interface while doing DNS requests from outside:

    23:30:52.068470 00:0a:cd:18:63:da > 00:26:18:a0:79:e9, ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 13799, offset 0, flags [none], proto UDP (17), length 54, bad cksum 0 (->9165)!)
       192.168.25.1.7245 > 192.168.25.25.53: [udp sum ok] 12086+ A? sebbe.eu. (26)

    23:30:52.068746 00:26:18:a0:79:e9 > 00:0a:cd:18:63:da, ethertype IPv4 (0x0800), length 178: (tos 0x0, ttl 64, id 46922, offset 0, flags [none], proto UDP (17), length 164)
       192.168.25.25.53 > 192.168.25.1.7245: [udp sum ok] 12086*- q: A? sebbe.eu. 2/2/2 sebbe.eu. A 46.59.86.163, sebbe.eu. A 193.13.142.178 ns: sebbe.eu. NS dns1.sebbe.eu., sebbe.eu. NS dns2.sebbe.eu. ar: dns1.sebbe.eu. A 193.13.142.178, dns2.sebbe.eu. A 46.59.86.163 (136)

    23:30:57.066431 00:0a:cd:18:63:da > 00:26:18:a0:79:e9, ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 15885, offset 0, flags [none], proto UDP (17), length 54, bad cksum 0 (->893f)!)
       192.168.25.1.21356 > 192.168.25.25.53: [udp sum ok] 12086+ A? sebbe.eu. (26)

    23:30:57.066705 00:26:18:a0:79:e9 > 00:0a:cd:18:63:da, ethertype IPv4 (0x0800), length 178: (tos 0x0, ttl 64, id 46923, offset 0, flags [none], proto UDP (17), length 164)
       192.168.25.25.53 > 192.168.25.1.21356: [udp sum ok] 12086*- q: A? sebbe.eu. 2/2/2 sebbe.eu. A 46.59.86.163, sebbe.eu. A 193.13.142.178 ns: sebbe.eu. NS dns1.sebbe.eu., sebbe.eu. NS dns2.sebbe.eu. ar: dns1.sebbe.eu. A 193.13.142.178, dns2.sebbe.eu. A 46.59.86.163 (136)

    23:31:02.068461 00:0a:cd:18:63:da > 00:26:18:a0:79:e9, ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 20194, offset 0, flags [none], proto UDP (17), length 54, bad cksum 0 (->786a)!)
       192.168.25.1.60951 > 192.168.25.25.53: [udp sum ok] 12086+ A? sebbe.eu. (26)

    23:31:02.068740 00:26:18:a0:79:e9 > 00:0a:cd:18:63:da, ethertype IPv4 (0x0800), length 178: (tos 0x0, ttl 64, id 46924, offset 0, flags [none], proto UDP (17), length 164)
       192.168.25.25.53 > 192.168.25.1.60951: [udp sum ok] 12086*- q: A? sebbe.eu. 2/2/2 sebbe.eu. A 46.59.86.163, sebbe.eu. A 193.13.142.178 ns: sebbe.eu. NS dns1.sebbe.eu., sebbe.eu. NS dns2.sebbe.eu. ar: dns1.sebbe.eu. A 193.13.142.178, dns2.sebbe.eu. A 46.59.86.163 (136)

    Seems replies from the DNS servers aren't routed out correctly?


Log in to reply