Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN rules not behaving as expected

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edooze
      last edited by

      I have two site-to-site VPNs connecting to my main box.

      site a => site b
      site a => site c

      all sites have been able to ping each other and communicate - including site b => site c (via site a, of course).

      this morning I connected a SIP extension on a new roadwarrior setup I created. roadwarrior could see all resources on all subnets, but for some reason, audio wasn't working (SIP signaling worked fine, suggesting RTP traffic wasn't travelling where it needed to go). i have another roadwarrior setup on a tablet that works fine, and this roadwarrior setup has worked fine on another computer previously, so it should only be a matter of traffic.

      I looked at the firewall rules to see what might be causing the problem, and noticed that some outbound traffic was being blocked from one of the VPNs. Weird, since there was a rule for each vpn stating that all traffic in and out of all vpns should be allowed. I had a problem in the past with something not working in pfsense, so I deleted and recreated the setting and everything worked fine again.

      I deleted all rules under OpenVPN and created one that should allow all traffic between all vpns, but now no traffic works at all.

      Find attached a screenshot of the rule.

      Can someone shed some light on what I'm not understanding here, please? I want everything to work through all VPNs, but as I don't see a way to attach a rule to a vpn setup/config, this one rule should operate for all vpns, right?

      Thanks in advance.
      Selection_010.png
      Selection_010.png_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I looked at the firewall rules to see what might be causing the problem, and noticed that some outbound traffic was being blocked from one of the VPNs. Weird, since there was a rule for each vpn stating that all traffic in and out of all vpns should be allowed. I had a problem in the past with something not working in pfsense, so I deleted and recreated the setting and everything worked fine again.

        What traffic was being blocked?

        The rules on the OpenVPN tab govern connections coming into the OpenVPN interface from the clients, not outbound.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E
          edooze
          last edited by

          @Derelict:

          The rules on the OpenVPN tab govern connections coming into the OpenVPN interface from the clients, not outbound.

          I see! Thanks for the clarity. I've added a couple new rules below - do you think this should now allow all OpenVPN communication to and from? Failing that, there's an option in interfaces to assign an ID to each OpenVPN connection. I could do this, and then set up rules to and from in a similar way, don't you think? Not sure if you know whether this might break something else?

          The blocked traffic is on port 80, for a different server that functions almost correctly anyway, so I doubt it's causing the current issue, but I thought in principle this kind of thing might be why I'm having problems.

          Selection_011.png
          Selection_011.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            No.  You need to understand this:

            https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • E
              edooze
              last edited by

              @Derelict:

              No.  You need to understand this:

              https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

              Appreciated, I will read the link carefully to understand what's happening there.

              Considering there is no firewall record for blocking the RTP traffic, however, might you know I could resolve the issue of the OpenVPN not passing RTP media traffic when used on a separate computer? There is no firewall in LUbuntu from what I can tell, so the machine should not be blocking the traffic itself, and I cannot see a rule that would disallow the traffic…

              Thanks.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                If the traffic is being sent out the tunnel, any blocking is being done at the client end.

                pfSense filters traffic as it enters the firewall.  So if you have a SIP server on LAN, rules passing traffic from the SIP server into pfSense will be on LAN.  After the traffic enters the firewall, it can freely leave on any destination interface, including being sent into OpenVPN.

                If the traffic is being blocked, there should be logs to that effect.

                I use SIP over OpenVPN every day.  Didn't have to do anything special.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 1
                • E
                  edooze
                  last edited by

                  @Derelict:

                  If the traffic is being sent out the tunnel, any blocking is being done at the client end.

                  pfSense filters traffic as it enters the firewall.  So if you have a SIP server on LAN, rules passing traffic from the SIP server into pfSense will be on LAN.  After the traffic enters the firewall, it can freely leave on any destination interface, including being sent into OpenVPN.

                  If the traffic is being blocked, there should be logs to that effect.

                  I use SIP over OpenVPN every day.  Didn't have to do anything special.

                  Thanks. I thought that would be the case, but sometimes when you stare at something too long you wonder if you're missing something obvious. I'll start swapping out programs - including the softphone - to see if maybe I have a buggy install of something like that.

                  Mucho appreciado, when I find the answer I'll post back to resolve this thread.

                  1 Reply Last reply Reply Quote 0
                  • E
                    edooze
                    last edited by

                    After performing a series of packet captures and CLI debugs, it turns out the phone system is actually sending the RTP traffic to the local IP instead of the VPN allocated IP - no problem with pfsense at all. Thanks again for your help, at least I know my setup is working fine.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.