Weird behavior of a Layer 2 openVPN site-2-site tunnel

  • Hi all.

    I am asking if anyone can help me to understand what is this happenning. I have set up a site-2-site Layer 2 VPN with openVPN. The VPN is up and I can ping from servers on site A to servers on site B and the opposite. As this is L2 both sites have the same IP addressing schema (say

    In site A (and in the same pfSenseA that is building the site-2-site VPN as CLIENT) there also is a openVPN SERVER where remote clients –users-- connect (so this pfSense acts both as openVPN server and as openVPN client at the same time). Get the figure? Users connecting to pfSenseA and accessing servers on both pfSenseA and pfSenseB sides/networks.

    You CAN open an RDP session to servers on the farthest side of this setup (site B) but ONLY if you first ping the server's IP address. If you don't you send SYN packets but never receive a SYN ACKs back; the session times out.

    But if you ping then the MAC address of the pinged server is added to the ARP table of the 'local' pfsense and then you can start a standard RDP session. Fast, no waits, no time-outs. :o

    So, it looks like this has nothing to do with firewalling unless the firewall rules get modified by the former ping.

    It looks like this has to do with the pfSense not knowing where the remote server is located (no MAC data, no ARP entry) and does not send the packets to the far end of the VPN. When I issue a ping then it learns where it is and from that moment on I am able to access the remote server. When time passes without traffic and the ARP entry is dropped then I go again to the starting point.

    Why is that happenning?. Is someting else needed to make the whole behave as a single network?

    Thanks for yout time and interest.


  • No one has any clue?