Access to LAN only *AFTER* ping.
-
Hi All,
Being as the PFSense community has a plethora of bright network individuals, I've decided to post this here as no one else has been able to help me figure out what's going on (If this is the wrong place, I understand and I'll delete/move the post).
I've got a somewhat strange issue happening that I am hoping someone here might be able to help with (or at least point in the right direction for where to look for a resolution…).
I've got an OpenVPN server running inside my LAN with PFSense as the firewall/gateway and, connection-wise, everything seems to be working perfectly. No errors and I am able to route traffic around the LAN without any issues; that is, only AFTER I ping the system I am trying to access. For example:
From the VPN client:
user@system1> ssh test.domain.tld (after about 60 seconds...) ssh: connect to host test.domain.tld port 22: Connection timed out
Immediately after:
user@system1> ping -c 3 test.domain.tld PING test (192.168.1.18) 56(84) bytes of data. 64 bytes from test (192.168.1.18): icmp_seq=1 ttl=62 time=35.8 ms 64 bytes from test (192.168.1.18): icmp_seq=2 ttl=63 time=35.4 ms 64 bytes from test (192.168.1.18): icmp_seq=3 ttl=63 time=34.9 ms --- test ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 34.924/35.419/35.881/0.391 ms
And then:
user@system1> ssh test.domain.tld user@system2>
It connects immediately without any issues AFTER I ping the server. And this happens for every system on the LAN aside from the VPN server and LAN gateway… I've tried using tcpdump on the OpenVPN server, LAN gateway and the LAN server (details below) but I don't see anything strange (I also wouldn't put any money on my network troubleshooting skills).
VPN server TUN interface:
# tcpdump -n -i tun0 port 80 08:41:28.860783 IP 10.10.9.9.58039 > 192.168.1.18.80: Flags [s], seq 357569663, win 29200, options [mss 1368,sackOK,TS val 319149 ecr 0,nop,wscale 7], length 0 08:41:29.858293 IP 10.10.9.9.58039 > 192.168.1.18.80: Flags [s], seq 357569663, win 29200, options [mss 1368,sackOK,TS val 319399 ecr 0,nop,wscale 7], length 0 08:41:31.862220 IP 10.10.9.9.58039 > 192.168.1.18.80: Flags [s], seq 357569663, win 29200, options [mss 1368,sackOK,TS val 319900 ecr 0,nop,wscale 7], length 0 08:41:35.870279 IP 10.10.9.9.58039 > 192.168.1.18.80: Flags [s], seq 357569663, win 29200, options [mss 1368,sackOK,TS val 320902 ecr 0,nop,wscale 7], length 0 08:41:43.878157 IP 10.10.9.9.58039 > 192.168.1.18.80: Flags [s], seq 357569663, win 29200, options [mss 1368,sackOK,TS val 322904 ecr 0,nop,wscale 7], length 0 VPN server LAN interface: [code] # tcpdump -n -i em0 port 80 08:44:11.322145 IP 10.10.9.9.58059 > 192.168.1.18.80: Flags [s], seq 3114136989, win 29200, options [mss 1368,sackOK,TS val 359765 ecr 0,nop,wscale 7], length 0 08:44:12.322054 IP 10.10.9.9.58059 > 192.168.1.18.80: Flags [s], seq 3114136989, win 29200, options [mss 1368,sackOK,TS val 360015 ecr 0,nop,wscale 7], length 0 08:44:14.326194 IP 10.10.9.9.58059 > 192.168.1.18.80: Flags [s], seq 3114136989, win 29200, options [mss 1368,sackOK,TS val 360516 ecr 0,nop,wscale 7], length 0 08:44:18.334067 IP 10.10.9.9.58059 > 192.168.1.18.80: Flags [s], seq 3114136989, win 29200, options [mss 1368,sackOK,TS val 361518 ecr 0,nop,wscale 7], length 0 08:44:26.342044 IP 10.10.9.9.58059 > 192.168.1.18.80: Flags [s], seq 3114136989, win 29200, options [mss 1368,sackOK,TS val 363520 ecr 0,nop,wscale 7], length 0 Test system LAN interface: [code] 07:46:17.147231 IP 10.10.9.9.58066 > 192.168.1.18.80: Flags [s], seq 3862481909, win 29200, options [mss 1368,sackOK,TS val 391221 ecr 0,nop,wscale 7], length 0 07:46:17.147298 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 391221], length 0 07:46:18.146182 IP 10.10.9.9.58066 > 192.168.1.18.80: Flags [s], seq 3862481909, win 29200, options [mss 1368,sackOK,TS val 391471 ecr 0,nop,wscale 7], length 0 07:46:18.146231 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 391471], length 0 07:46:20.150906 IP 10.10.9.9.58066 > 192.168.1.18.80: Flags [s], seq 3862481909, win 29200, options [mss 1368,sackOK,TS val 391972 ecr 0,nop,wscale 7], length 0 07:46:20.150975 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 391972], length 0 07:46:23.199938 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 391972], length 0 07:46:24.159045 IP 10.10.9.9.58066 > 192.168.1.18.80: Flags [s], seq 3862481909, win 29200, options [mss 1368,sackOK,TS val 392974 ecr 0,nop,wscale 7], length 0 07:46:24.159096 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 392974], length 0 07:46:27.176076 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 392974], length 0 07:46:30.198414 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 392974], length 0 07:46:32.166639 IP 10.10.9.9.58066 > 192.168.1.18.80: Flags [s], seq 3862481909, win 29200, options [mss 1368,sackOK,TS val 394976 ecr 0,nop,wscale 7], length 0 07:46:32.166691 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 394976], length 0 07:46:35.182939 IP 192.168.1.18.80 > 10.10.9.9.58066: Flags [S.], seq 1656694809, ack 3862481910, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 1718510613 ecr 394976], length 0 Gateway LAN interface: [code] 08:51:50.669723 IP 192.168.1.18.80 > 10.10.9.9.58117: Flags [S.], seq 2644444646, ack 75301707, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 2527065738 ecr 472340], length 0 08:51:59.407253 IP 192.168.1.18.80 > 10.10.9.9.58120: Flags [S.], seq 935091276, ack 3731772220, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 4068713624 ecr 476785], length 0 08:52:00.404186 IP 192.168.1.18.80 > 10.10.9.9.58120: Flags [S.], seq 935091276, ack 3731772220, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 4068713624 ecr 477035], length 0 08:52:02.408171 IP 192.168.1.18.80 > 10.10.9.9.58120: Flags [S.], seq 935091276, ack 3731772220, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 4068713624 ecr 477536], length 0 08:52:05.410714 IP 192.168.1.18.80 > 10.10.9.9.58120: Flags [S.], seq 935091276, ack 3731772220, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 4068713624 ecr 477536], length 0 08:52:06.416142 IP 192.168.1.18.80 > 10.10.9.9.58120: Flags [S.], seq 935091276, ack 3731772220, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 4068713624 ecr 478538], length 0 08:52:09.434051 IP 192.168.1.18.80 > 10.10.9.9.58120: Flags [S.], seq 935091276, ack 3731772220, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 4068713624 ecr 478538], length 0 [/code] Has anyone seen this type of behavior before? I've been trying to diagnose and troubleshoot this for quite some time now and I've run out of ideas. Any help on figuring out why this happening and how to resolve it would be greatly appreciated![/s][/s][/s][/s][/s][/code][/s][/s][/s][/s][/s][/code][/s][/s][/s][/s][/s]
-
I think your LAN hosts don't know the way to your VPN client and send their packets to the default gateway.
You should add a NAT rule to the VPN server, translating the source IP of packet from VPN clients to the servers LAN IP when they are going to LAN network. -
I would want to see packet captures while you're attempting to connect ssh and it's not going through to see what's going on at that moment.
-
I think your LAN hosts don't know the way to your VPN client and send their packets to the default gateway.
You should add a NAT rule to the VPN server, translating the source IP of packet from VPN clients to the servers LAN IP when they are going to LAN network.Thanks for the reply. On the firewall/gateway, I currently have an additional gateway setup (vpn server) and also a static route that points all VPN network traffic to the VPN server. Is this not the correct way to do it? Should I remove these and use NAT instead? If so, what would the proper way to add an NAT rule to translate the source be?
-
I would want to see packet captures while you're attempting to connect ssh and it's not going through to see what's going on at that moment.
I'll get some packet captures from each host involved. Would it be better in text or pcap format?
-
I got some more in-depth packet captures which I've pasted below. If there are other commands/options you would like me to use, let me know and I'll be happy to do so. I captured packets until the SSH attempt timed out.
172.28.35.18 - Test server I'm ssh'ing to
172.28.40.5 - VPN clientCommand used on each system (interface varies):
tcpdump -nnvvXSs 0 -i interface host 172.28.35.18 or 172.28.40.5 and port 22
VPN server tun0 interface:
11:55:55.938726 IP (tos 0x0, ttl 64, id 55323, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x514c (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1211839 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81b 4000 4006 bf50 ac1c 2805 E..<..@.@..P..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 514c 0000 0204 0558 0402 080a ..5.QL.....X.... 0x0030: 0012 7dbf 0000 0000 0103 0306 ..}......... 11:55:56.890300 IP (tos 0x0, ttl 64, id 55324, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x50e8 (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1211939 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81c 4000 4006 bf4f ac1c 2805 E..<..@.@..O..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 50e8 0000 0204 0558 0402 080a ..5.P......X.... 0x0030: 0012 7e23 0000 0000 0103 0306 ..~#........ 11:55:59.003367 IP (tos 0x0, ttl 64, id 55325, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x5020 (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1212139 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81d 4000 4006 bf4e ac1c 2805 E..<..@.@..N..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 5020 0000 0204 0558 0402 080a ..5.P......X.... 0x0030: 0012 7eeb 0000 0000 0103 0306 ..~......... 11:56:02.928908 IP (tos 0x0, ttl 64, id 55326, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x4e8f (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1212540 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81e 4000 4006 bf4d ac1c 2805 E..<..@.@..M..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 4e8f 0000 0204 0558 0402 080a ..5.N......X.... 0x0030: 0012 807c 0000 0000 0103 0306 ...|........ 11:56:11.409769 IP (tos 0x0, ttl 64, id 55327, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x4b6d (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1213342 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81f 4000 4006 bf4c ac1c 2805 E..<..@.@..L..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 4b6d 0000 0204 0558 0402 080a ..5.Km.....X.... 0x0030: 0012 839e 0000 0000 0103 0306 ............ 11:56:26.956755 IP (tos 0x0, ttl 64, id 55328, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x452b (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1214944 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d820 4000 4006 bf4b ac1c 2805 E..<..@.@..K..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 452b 0000 0204 0558 0402 080a ..5.E+.....X.... 0x0030: 0012 89e0 0000 0000 0103 0306 ............ VPN server em0 (LAN) interface: [code] 11:55:55.938875 IP (tos 0x0, ttl 63, id 55323, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x514c (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1211839 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81b 4000 3f06 c050 ac1c 2805 E..<..@.?..P..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 514c 0000 0204 0558 0402 080a ..5.QL.....X.... 0x0030: 0012 7dbf 0000 0000 0103 0306 ..}......... 11:55:56.890412 IP (tos 0x0, ttl 63, id 55324, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x50e8 (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1211939 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81c 4000 3f06 c04f ac1c 2805 E..<..@.?..O..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 50e8 0000 0204 0558 0402 080a ..5.P......X.... 0x0030: 0012 7e23 0000 0000 0103 0306 ..~#........ 11:55:59.003422 IP (tos 0x0, ttl 63, id 55325, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x5020 (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1212139 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81d 4000 3f06 c04e ac1c 2805 E..<..@.?..N..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 5020 0000 0204 0558 0402 080a ..5.P......X.... 0x0030: 0012 7eeb 0000 0000 0103 0306 ..~......... 11:56:02.928970 IP (tos 0x0, ttl 63, id 55326, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x4e8f (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1212540 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81e 4000 3f06 c04d ac1c 2805 E..<..@.?..M..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 4e8f 0000 0204 0558 0402 080a ..5.N......X.... 0x0030: 0012 807c 0000 0000 0103 0306 ...|........ 11:56:11.409834 IP (tos 0x0, ttl 63, id 55327, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x4b6d (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1213342 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81f 4000 3f06 c04c ac1c 2805 E..<..@.?..L..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 4b6d 0000 0204 0558 0402 080a ..5.Km.....X.... 0x0030: 0012 839e 0000 0000 0103 0306 ............ 11:56:26.956893 IP (tos 0x0, ttl 63, id 55328, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x452b (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1214944 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d820 4000 3f06 c04b ac1c 2805 E..<..@.?..K..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 452b 0000 0204 0558 0402 080a ..5.E+.....X.... 0x0030: 0012 89e0 0000 0000 0103 0306 ............ Gateway/Firewall pfSense LAN interface: [code] 11:55:55.936646 IP (tos 0x0, ttl 64, id 1094, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x05f8 (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1211839], length 0 0x0000: 4500 003c 0446 4000 4006 9326 ac1c 2312 E..<.F@.@..&..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 05f8 0000 0204 0558 0103 0306 ...........X.... 0x0030: 0402 080a bd60 5df9 0012 7dbf .....`]...}. 11:55:56.888231 IP (tos 0x0, ttl 64, id 1095, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x0594 (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1211939], length 0 0x0000: 4500 003c 0447 4000 4006 9325 ac1c 2312 E..<.G@.@..%..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 0594 0000 0204 0558 0103 0306 ...........X.... 0x0030: 0402 080a bd60 5df9 0012 7e23 .....`]...~# 11:55:59.001283 IP (tos 0x0, ttl 64, id 1096, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x04cc (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212139], length 0 0x0000: 4500 003c 0448 4000 4006 9324 ac1c 2312 E..<.H@.@..$..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 04cc 0000 0204 0558 0103 0306 ...........X.... 0x0030: 0402 080a bd60 5df9 0012 7eeb .....`]...~. 11:56:02.046432 IP (tos 0x0, ttl 64, id 1097, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x04cc (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212139], length 0 0x0000: 4500 003c 0449 4000 4006 9323 ac1c 2312 E..<.I@.@..#..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 04cc 0000 0204 0558 0103 0306 ...........X.... 0x0030: 0402 080a bd60 5df9 0012 7eeb .....`]...~. 11:56:02.926931 IP (tos 0x0, ttl 64, id 1098, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x033b (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212540], length 0 0x0000: 4500 003c 044a 4000 4006 9322 ac1c 2312 E..<.J@.@.."..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 033b 0000 0204 0558 0103 0306 .....;.....X.... 0x0030: 0402 080a bd60 5df9 0012 807c .....`]....| 11:56:05.934475 IP (tos 0x0, ttl 64, id 1099, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x033b (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212540], length 0 0x0000: 4500 003c 044b 4000 4006 9321 ac1c 2312 E..<.K@.@..!..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 033b 0000 0204 0558 0103 0306 .....;.....X.... 0x0030: 0402 080a bd60 5df9 0012 807c .....`]....| 11:56:08.956762 IP (tos 0x0, ttl 64, id 1100, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x033b (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212540], length 0 0x0000: 4500 003c 044c 4000 4006 9320 ac1c 2312 E..<.L@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 033b 0000 0204 0558 0103 0306 .....;.....X.... 0x0030: 0402 080a bd60 5df9 0012 807c .....`]....| 11:56:11.407745 IP (tos 0x0, ttl 64, id 1101, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x0019 (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1213342], length 0 0x0000: 4500 003c 044d 4000 4006 931f ac1c 2312 E..<.M@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 0019 0000 0204 0558 0103 0306 ...........X.... 0x0030: 0402 080a bd60 5df9 0012 839e .....`]..... 11:56:14.415042 IP (tos 0x0, ttl 64, id 1102, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x0019 (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1213342], length 0 0x0000: 4500 003c 044e 4000 4006 931e ac1c 2312 E..<.N@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 0019 0000 0204 0558 0103 0306 ...........X.... 0x0030: 0402 080a bd60 5df9 0012 839e .....`]..... 11:56:17.454567 IP (tos 0x0, ttl 64, id 1103, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x0019 (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1213342], length 0 0x0000: 4500 003c 044f 4000 4006 931d ac1c 2312 E..<.O@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 0019 0000 0204 0558 0103 0306 ...........X.... 0x0030: 0402 080a bd60 5df9 0012 839e .....`]..... 11:56:20.463998 IP (tos 0x0, ttl 64, id 1104, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x0019 (correct), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1213342], length 0 0x0000: 4500 003c 0450 4000 4006 931c ac1c 2312 E..<.P@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff 0019 0000 0204 0558 0103 0306 ...........X.... 0x0030: 0402 080a bd60 5df9 0012 839e .....`]..... 11:56:26.954802 IP (tos 0x0, ttl 64, id 1105, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x512d (correct), seq 867908164, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 538876855 ecr 1214944], length 0 0x0000: 4500 003c 0451 4000 4006 931b ac1c 2312 E..<.Q@.@.....#. 0x0010: ac1c 2805 0016 a9a3 33bb 3a44 50a9 a5a5 ..(.....3.:DP... 0x0020: a012 ffff 512d 0000 0204 0558 0103 0306 ....Q-.....X.... 0x0030: 0402 080a 201e 9bb7 0012 89e0 ............ 11:56:29.972341 IP (tos 0x0, ttl 64, id 1107, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x512d (correct), seq 867908164, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 538876855 ecr 1214944], length 0 0x0000: 4500 003c 0453 4000 4006 9319 ac1c 2312 E..<.S@.@.....#. 0x0010: ac1c 2805 0016 a9a3 33bb 3a44 50a9 a5a5 ..(.....3.:DP... 0x0020: a012 ffff 512d 0000 0204 0558 0103 0306 ....Q-.....X.... 0x0030: 0402 080a 201e 9bb7 0012 89e0 ............ 11:56:32.980636 IP (tos 0x0, ttl 64, id 1108, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x512d (correct), seq 867908164, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 538876855 ecr 1214944], length 0 0x0000: 4500 003c 0454 4000 4006 9318 ac1c 2312 E..<.T@.@.....#. 0x0010: ac1c 2805 0016 a9a3 33bb 3a44 50a9 a5a5 ..(.....3.:DP... 0x0020: a012 ffff 512d 0000 0204 0558 0103 0306 ....Q-.....X.... 0x0030: 0402 080a 201e 9bb7 0012 89e0 ............ 11:56:35.990430 IP (tos 0x0, ttl 64, id 1109, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0x512d (correct), seq 867908164, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 538876855 ecr 1214944], length 0 0x0000: 4500 003c 0455 4000 4006 9317 ac1c 2312 E..<.U@.@.....#. 0x0010: ac1c 2805 0016 a9a3 33bb 3a44 50a9 a5a5 ..(.....3.:DP... 0x0020: a012 ffff 512d 0000 0204 0558 0103 0306 ....Q-.....X.... 0x0030: 0402 080a 201e 9bb7 0012 89e0 ............ [/code] Test/SSH server em0 (LAN) interface: [code] 10:55:55.933307 IP (tos 0x0, ttl 63, id 55323, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x514c (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1211839 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81b 4000 3f06 c050 ac1c 2805 E..<..@.?..P..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 514c 0000 0204 0558 0402 080a ..5.QL.....X.... 0x0030: 0012 7dbf 0000 0000 0103 0306 ..}......... 10:55:55.933377 IP (tos 0x0, ttl 64, id 1094, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x05f8), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1211839], length 0 0x0000: 4500 003c 0446 4000 4006 9326 ac1c 2312 E..<.F@.@..&..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 7dbf .....`]...}. 10:55:56.884846 IP (tos 0x0, ttl 63, id 55324, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x50e8 (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1211939 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81c 4000 3f06 c04f ac1c 2805 E..<..@.?..O..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 50e8 0000 0204 0558 0402 080a ..5.P......X.... 0x0030: 0012 7e23 0000 0000 0103 0306 ..~#........ 10:55:56.884901 IP (tos 0x0, ttl 64, id 1095, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x0594), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1211939], length 0 0x0000: 4500 003c 0447 4000 4006 9325 ac1c 2312 E..<.G@.@..%..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 7e23 .....`]...~# 10:55:58.997894 IP (tos 0x0, ttl 63, id 55325, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x5020 (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1212139 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81d 4000 3f06 c04e ac1c 2805 E..<..@.?..N..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 5020 0000 0204 0558 0402 080a ..5.P......X.... 0x0030: 0012 7eeb 0000 0000 0103 0306 ..~......... 10:55:58.997963 IP (tos 0x0, ttl 64, id 1096, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x04cc), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212139], length 0 0x0000: 4500 003c 0448 4000 4006 9324 ac1c 2312 E..<.H@.@..$..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 7eeb .....`]...~. 10:56:02.043180 IP (tos 0x0, ttl 64, id 1097, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x04cc), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212139], length 0 0x0000: 4500 003c 0449 4000 4006 9323 ac1c 2312 E..<.I@.@..#..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 7eeb .....`]...~. 10:56:02.923502 IP (tos 0x0, ttl 63, id 55326, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x4e8f (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1212540 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81e 4000 3f06 c04d ac1c 2805 E..<..@.?..M..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 4e8f 0000 0204 0558 0402 080a ..5.N......X.... 0x0030: 0012 807c 0000 0000 0103 0306 ...|........ 10:56:02.923560 IP (tos 0x0, ttl 64, id 1098, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x033b), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212540], length 0 0x0000: 4500 003c 044a 4000 4006 9322 ac1c 2312 E..<.J@.@.."..#. 0x0000: 4500 003c 044a 4000 4006 9322 ac1c 2312 E..<.J@.@.."..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 807c .....`]....| 10:56:05.931173 IP (tos 0x0, ttl 64, id 1099, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x033b), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212540], length 0 0x0000: 4500 003c 044b 4000 4006 9321 ac1c 2312 E..<.K@.@..!..#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 807c .....`]....| 10:56:08.953410 IP (tos 0x0, ttl 64, id 1100, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x033b), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1212540], length 0 0x0000: 4500 003c 044c 4000 4006 9320 ac1c 2312 E..<.L@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 807c .....`]....| 10:56:11.404377 IP (tos 0x0, ttl 63, id 55327, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x4b6d (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1213342 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d81f 4000 3f06 c04c ac1c 2805 E..<..@.?..L..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 4b6d 0000 0204 0558 0402 080a ..5.Km.....X.... 0x0030: 0012 839e 0000 0000 0103 0306 ............ 10:56:11.404443 IP (tos 0x0, ttl 64, id 1101, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x0019), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1213342], length 0 0x0000: 4500 003c 044d 4000 4006 931f ac1c 2312 E..<.M@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 839e .....`]..... 10:56:14.411695 IP (tos 0x0, ttl 64, id 1102, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x0019), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1213342], length 0 0x0000: 4500 003c 044e 4000 4006 931e ac1c 2312 E..<.N@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 839e .....`]..... 10:56:17.451399 IP (tos 0x0, ttl 64, id 1103, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x0019), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1213342], length 0 0x0000: 4500 003c 044f 4000 4006 931d ac1c 2312 E..<.O@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 839e .....`]..... 10:56:20.460701 IP (tos 0x0, ttl 64, id 1104, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x0019), seq 257513080, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 3177209337 ecr 1213342], length 0 0x0000: 4500 003c 0450 4000 4006 931c ac1c 2312 E..<.P@.@.....#. 0x0010: ac1c 2805 0016 a9a3 0f59 5678 50a9 a5a5 ..(......YVxP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a bd60 5df9 0012 839e .....`]..... 10:56:26.951490 IP (tos 0x0, ttl 63, id 55328, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.43427 > 172.28.35.18.22: Flags [s], cksum 0x452b (correct), seq 1353295268, win 13800, options [mss 1368,sackOK,TS val 1214944 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c d820 4000 3f06 c04b ac1c 2805 E..<..@.?..K..(. 0x0010: ac1c 2312 a9a3 0016 50a9 a5a4 0000 0000 ..#.....P....... 0x0020: a002 35e8 452b 0000 0204 0558 0402 080a ..5.E+.....X.... 0x0030: 0012 89e0 0000 0000 0103 0306 ............ 10:56:26.951555 IP (tos 0x0, ttl 64, id 1105, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x512d), seq 867908164, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 538876855 ecr 1214944], length 0 0x0000: 4500 003c 0451 4000 4006 931b ac1c 2312 E..<.Q@.@.....#. 0x0010: ac1c 2805 0016 a9a3 33bb 3a44 50a9 a5a5 ..(.....3.:DP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a 201e 9bb7 0012 89e0 ............ 10:56:29.969098 IP (tos 0x0, ttl 64, id 1107, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x512d), seq 867908164, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 538876855 ecr 1214944], length 0 0x0000: 4500 003c 0453 4000 4006 9319 ac1c 2312 E..<.S@.@.....#. 0x0010: ac1c 2805 0016 a9a3 33bb 3a44 50a9 a5a5 ..(.....3.:DP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a 201e 9bb7 0012 89e0 ............ 10:56:32.977391 IP (tos 0x0, ttl 64, id 1108, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x512d), seq 867908164, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 538876855 ecr 1214944], length 0 0x0000: 4500 003c 0454 4000 4006 9318 ac1c 2312 E..<.T@.@.....#. 0x0010: ac1c 2805 0016 a9a3 33bb 3a44 50a9 a5a5 ..(.....3.:DP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a 201e 9bb7 0012 89e0 ............ 10:56:35.987159 IP (tos 0x0, ttl 64, id 1109, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.18.22 > 172.28.40.5.43427: Flags [S.], cksum 0xa37e (incorrect -> 0x512d), seq 867908164, ack 1353295269, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val 538876855 ecr 1214944], length 0 0x0000: 4500 003c 0455 4000 4006 9317 ac1c 2312 E..<.U@.@.....#. 0x0010: ac1c 2805 0016 a9a3 33bb 3a44 50a9 a5a5 ..(.....3.:DP... 0x0020: a012 ffff a37e 0000 0204 0558 0103 0306 .....~.....X.... 0x0030: 0402 080a 201e 9bb7 0012 89e0 ............ Thanks for taking a look, guys! I really appreciate it.[/s][/s][/s][/s][/s][/s][/code][/s][/s][/s][/s][/s][/s][/code][/s][/s][/s][/s][/s][/s]
-
Test/SSH server em0 (LAN) interface:
172.28.40.5.43427 > 172.28.35.18.22: Flags ~~,The SYN is making it to the SSH server and there's no reply. pfSense is doing what it needs to do.
It also looks like something is mangling checksums.
What else is between pfSense and the test SSH server? Virtual environment or something? I'd stop looking at pfSense and look at your LAN environment.~~
-
Test/SSH server em0 (LAN) interface:
172.28.40.5.43427 > 172.28.35.18.22: Flags ~~,The SYN is making it to the SSH server and there's no reply. pfSense is doing what it needs to do.
It also looks like something is mangling checksums.
What else is between pfSense and the test SSH server? Virtual environment or something? I'd stop looking at pfSense and look at your LAN environment.
Thanks again for the reply.
This is exactly what's puzzling me. There's actually nothing between pfSense and the test SSH server aside from a Gigabit switch… On the LAN, everything works fine. It's only VPN clients that have this issue. And, as I'd mentioned, once I ping the server from the VPN client, everything works perfectly normally. What would pinging the server change?
I also tried to SSH to another system and got the same result. However, the same tcpdump command provided the following output:
23:35:54.621330 IP (tos 0x0, ttl 63, id 64751, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.51074 > 172.28.35.3.22: Flags [s], cksum 0x2c51 (correct), seq 2048624374, win 13800, options [mss 1368,sackOK,TS val 2062873 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c fcef 4000 3f06 9b8b ac1c 2805 E..<..@.?.....(. 0x0010: ac1c 2303 c782 0016 7a1b 86f6 0000 0000 ..#.....z....... 0x0020: a002 35e8 2c51 0000 0204 0558 0402 080a ..5.,Q.....X.... 0x0030: 001f 7a19 0000 0000 0103 0306 ..z......... 23:35:54.621368 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.3.22 > 172.28.40.5.51074: Flags [S.], cksum 0xdf41 (correct), seq 2236258252, ack 2048624375, win 28960, options [mss 1460,sackOK,TS val 2225200 ecr 2062873,nop,wscale 7], length 0 0x0000: 4500 003c 0000 4000 4006 977b ac1c 2303 E..<..@.@..{..#. 0x0010: ac1c 2805 0016 c782 854a 97cc 7a1b 86f7 ..(......J..z... 0x0020: a012 7120 df41 0000 0204 05b4 0402 080a ..q..A.......... 0x0030: 0021 f430 001f 7a19 0103 0307 .!.0..z..... 23:35:55.313989 IP (tos 0x0, ttl 63, id 64752, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.51074 > 172.28.35.3.22: Flags [s], cksum 0x2bed (correct), seq 2048624374, win 13800, options [mss 1368,sackOK,TS val 2062973 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c fcf0 4000 3f06 9b8a ac1c 2805 E..<..@.?.....(. 0x0010: ac1c 2303 c782 0016 7a1b 86f6 0000 0000 ..#.....z....... 0x0020: a002 35e8 2bed 0000 0204 0558 0402 080a ..5.+......X.... 0x0030: 001f 7a7d 0000 0000 0103 0306 ..z}........ 23:35:55.314020 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.3.22 > 172.28.40.5.51074: Flags [S.], cksum 0xde94 (correct), seq 2236258252, ack 2048624375, win 28960, options [mss 1460,sackOK,TS val 2225373 ecr 2062873,nop,wscale 7], length 0 0x0000: 4500 003c 0000 4000 4006 977b ac1c 2303 E..<..@.@..{..#. 0x0010: ac1c 2805 0016 c782 854a 97cc 7a1b 86f7 ..(......J..z... 0x0020: a012 7120 de94 0000 0204 05b4 0402 080a ..q............. 0x0030: 0021 f4dd 001f 7a19 0103 0307 .!....z..... 23:35:56.820451 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.3.22 > 172.28.40.5.51074: Flags [S.], cksum 0xdd1b (correct), seq 2236258252, ack 2048624375, win 28960, options [mss 1460,sackOK,TS val 2225750 ecr 2062873,nop,wscale 7], length 0 0x0000: 4500 003c 0000 4000 4006 977b ac1c 2303 E..<..@.@..{..#. 0x0010: ac1c 2805 0016 c782 854a 97cc 7a1b 86f7 ..(......J..z... 0x0020: a012 7120 dd1b 0000 0204 05b4 0402 080a ..q............. 0x0030: 0021 f656 001f 7a19 0103 0307 .!.V..z..... 23:35:57.309465 IP (tos 0x0, ttl 63, id 64753, offset 0, flags [DF], proto TCP (6), length 60) 172.28.40.5.51074 > 172.28.35.3.22: Flags [s], cksum 0x2b25 (correct), seq 2048624374, win 13800, options [mss 1368,sackOK,TS val 2063173 ecr 0,nop,wscale 6], length 0 0x0000: 4500 003c fcf1 4000 3f06 9b89 ac1c 2805 E..<..@.?.....(. 0x0010: ac1c 2303 c782 0016 7a1b 86f6 0000 0000 ..#.....z....... 0x0020: a002 35e8 2b25 0000 0204 0558 0402 080a ..5.+%.....X.... 0x0030: 001f 7b45 0000 0000 0103 0306 ..{E........ 23:35:57.309497 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 172.28.35.3.22 > 172.28.40.5.51074: Flags [S.], cksum 0xdca1 (correct), seq 2236258252, ack 2048624375, win 28960, options [mss 1460,sackOK,TS val 2225872 ecr 2062873,nop,wscale 7], length 0 0x0000: 4500 003c 0000 4000 4006 977b ac1c 2303 E..<..@.@..{..#. 0x0010: ac1c 2805 0016 c782 854a 97cc 7a1b 86f7 ..(......J..z... 0x0020: a012 7120 dca1 0000 0204 05b4 0402 080a ..q............. 0x0030: 0021 f6d0 001f 7a19 0103 0307 .!....z..... [/s][/s][/s] ```~~
-
No idea but since the SYN is going out to LAN, I'd look at something on the host. Maybe its local firewall or something. Maybe it's behaving differently for traffic originating outside its subnet.
-
Interesting… Thanks again for the reply.
I've also got some new and rather interesting updates for this. Any non-encrypted connections work just fine before pinging. So, all http, smtp, pop3, etc... services that are non-SSL or non-TLS work without any issue at all. What the hell is going on here? The further I look into this the more puzzled I become. It seems it is related to encrypted connections only.
-
What is the target host? Unplug it and test with something else.
-
Target host is the same host (172.28.35.18 - FreeBSD 10.1). I've removed it from the network and tried another host but I get the same result. Non-encrypted connections work fine while encrypted connections simply timeout (unless I ping the target first from the VPN client).
-
No idea.
-
Haha. You and me both! Perhaps the way I'm routing the traffic is incorrect? Should I not be using a static gateway/route from pfSense to do this? Perhaps viragomann's recommendation to use NAT instead might do the trick. I've tried to do that but I am unable to get it to route anything all to the LAN. Or maybe it's just some settings somewhere… I'm completely stumped.
-
You don't understand. The SYN packet was going out the LAN and nothing was coming back.
Maybe you should diagram your network out for us.
What static gateway/route from pfSense?
-
I do understand that, actually. I'm just not sure why.
To diagram it out a little:
pfSense firewall/gateway is 172.28.35.1 which is forwarding OpenVPN connections to my internal VPN server on 172.28.35.22. I also have a gateway and static route on the pfSense server that forwards all traffic on 172.28.40.0/24 (VPN subnet) to the internal VPN server at 172.28.35.22. Without this static route, the VPN clients are unable to hit anything on the LAN.
I'm wondering if running OpenVPN on firewall/gateway might be the better way to go. However, I cannot find any documentation on how to add create certs/keys which are revocable without adding users. In other words, I'd like to continue using the "easy-rsa" style OpenVPN setup. According to the documentation I've found, I'd either need to create a user for each Cert or a single, revocable CA (which would be silly if I have many users that don't want username/password auth (only certificate/key).
Some people seem to have accomplished this but when I attempt the same, there are no revocable certs. Only the main CA. I'm going to keep playing around with it and see if I can't get it to work.
-
No. Make a diagram. I don't even want to read that and do the work of diagramming it myself.
See the diagram in my sig for the type of information necessary.
-
Ah. Gotcha'. I'll have a diagram shortly.
-
Sorry for the delay. Got pretty busy at work. I've attached the diagram. It's a pretty simple setup.
-
Ok I don't understand at all. Where, exactly is the 172.28.40.0/24 subnet? On pfSense are you saying there's a route for 172.28.40.0/24 with a gateway of 172.28.35.22?
So when 172.28.35.5 needs to send traffic to 172.28.40.X it sends it to its default gateway, 172.28.35.1. That's where you get messed up because pfSense has to route the traffic back out the same interface it just received it on. That is unsound network design. Sometimes an ICMP redirect is issued telling 172.28.35.5 to send it's traffic again but to 172.28.35.22 instead. The same holds true for the return traffic. It's all going to be sent back to pfSense and have to be routed back out the same interface it came in on.
It's not surprising to me that you're seeing strange things. I would redesign your network such that your VPN server is on a different network segment as all your clients. and when they send traffic out to their default gateway, it doesn't have to route back out the same interface to get to any destinations.
Or just let pfSense do it.