Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connecting pfSense to Multiple OpenVPN Client Instances Creates Traceroute Drops

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 725 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pfBlense
      last edited by

      I have connected my pfSense box to two OpenVPN Servers. I route specific LAN IPs through specific OpenVPN servers. However, when I connect pfSense to both OpenVPN Servers, computers/devices routing through any of the OpenVPN servers would drop packets or services do not work or http requests would hang for a bit. Here is an example of traceroute/pings under both circumstances:

      Single Connection to OpenVPN Server - Traceroute from LAN-Client IP

      
 1  10.8.0.1 (10.8.0.1)  87.403 ms  86.146 ms  85.895 ms
 2  192.168.1.254 (192.168.1.254)  86.942 ms  86.806 ms  86.677 ms
 3  99._._.2 (99._._.2)  107.517 ms  107.918 ms  108.015 ms
 4  75.20.1.0 (75.20.1.0)  214.566 ms  108.796 ms  107.975 ms
 5  12.83.38.145 (12.83.38.145)  113.240 ms
    12.83.38.129 (12.83.38.129)  110.231 ms
    12.83.38.145 (12.83.38.145)  311.703 ms
 6  cr1.la2ca.ip.att.net (12.123.132.129)  204.962 ms  202.887 ms  108.571 ms
 7  * * *
 8  209.85.240.225 (209.85.240.225)  141.705 ms
    64.233.174.100 (64.233.174.100)  197.027 ms
    209.85.242.23 (209.85.242.23)  274.355 ms
 9  google-public-dns-a.google.com (8.8.8.8)  135.617 ms  168.050 ms  109.055 ms

      Two Connections to OpenVPN Server - Traceroute from LAN-Client IP

      
 1  * 10.8.0.1 (10.8.0.1)  86.313 ms *
 2  * * 192.168.1.254 (192.168.1.254)  90.782 ms
 3  * 99._._.2 (99._._.2)  110.192 ms *
 4  * 75.20.1.0 (75.20.1.0)  135.562 ms *
 5  * * 12.83.38.129 (12.83.38.129)  292.533 ms
 6  * * cr1.la2ca.ip.att.net (12.123.132.129)  126.212 ms
 7  * * *
 8  * * *
 9  * * google-public-dns-a.google.com (8.8.8.8)  121.876 ms

      Single Connection to OpenVPN - 100 Pings to 8.8.8.8 from LAN-Client IP

      
--- 8.8.8.8 ping statistics ---
100 packets transmitted, 100 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 106.729/158.429/540.726/78.707 ms

      Two Connections to OpenVPN - 100 Pings to 8.8.8.8 from

      Initial Attempt

      --- 8.8.8.8 ping statistics ---
100 packets transmitted, 0 packets received, 100.0% packet loss

      Second Attempt

      --- 8.8.8.8 ping statistics ---
100 packets transmitted, 99 packets received, 1.0% packet loss
round-trip min/avg/max/stddev = 107.028/128.548/270.874/37.246 ms

      Two Connections to OpenVPN Server - Traceroute from pfSense Box

      
 1  10.8.0.1 (10.8.0.1)  82.837 ms  82.702 ms  83.306 ms
 2  192.168.1.254 (192.168.1.254)  188.795 ms  83.066 ms  83.194 ms
 3  99._._.2 (99._._.2)  105.057 ms  104.097 ms  104.683 ms
 4  75.20.1.0 (75.20.1.0)  107.061 ms  104.000 ms  105.557 ms
 5  12.83.38.145 (12.83.38.145)  210.801 ms
    12.83.38.129 (12.83.38.129)  216.573 ms
    12.83.38.145 (12.83.38.145)  207.713 ms
 6  cr1.la2ca.ip.att.net (12.123.132.129)  164.689 ms  196.122 ms  105.273 ms
 7  * * *
 8  209.85.240.225 (209.85.240.225)  105.919 ms
    209.85.242.21 (209.85.242.21)  128.159 ms  207.973 ms
 9  google-public-dns-a.google.com (8.8.8.8)  105.925 ms  106.250 ms  211.623 ms

      As you can see the traceroute from pfSense itself is fine when the pfSense box is connected to both OpenVPN servers. So it seems to have to do with something on the routing/ipTables end of things. Somehow when pfSense is connected to both OpenVPN servers packets start getting lost or something. The routing/ipTables works fine when only connected to one OpenVPN server so I'm thinking my NAT and Firewall rules are fine. But here they are for your reference.

      ![Screen Shot 2015-05-09 at 12.10.13 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-09 at 12.10.13 PM.png)
      ![Screen Shot 2015-05-09 at 12.10.13 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-09 at 12.10.13 PM.png_thumb)
      ![Screen Shot 2015-05-09 at 12.09.40 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-09 at 12.09.40 PM.png_thumb)
      ![Screen Shot 2015-05-09 at 12.09.40 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-09 at 12.09.40 PM.png)

      1 Reply Last reply Reply Quote 0
      • P Offline
        pfBlense
        last edited by

        Update

        So I just systematically went through my setup point by point. Here is what went wrong:

        Under Interfaces –> (assign) the network port was wrongly assigned to one of the OpenVPN interfaces.

        Under Firewall –> Rules --> LAN my redirect rule for one of the OpenVPN interfaces didn't have the right Gateway.

        Both of these should have pointed to the OpenVPN connection in question. But my Interface pointed to an extra ethernet port which is not connected and my firewall was going through my "default" WAN interface.

        I think what threw me off was that the connection sort of worked when they both were connected and completely worked when only one was connected. So I didn't immediately expect an Interface issue although the Rules I picked up on pretty quick. Anyway… Hope this will help someone in the future. It was a minor issue but took me hours of headache.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.