VPN rules not behaving as expected



  • I have two site-to-site VPNs connecting to my main box.

    site a => site b
    site a => site c

    all sites have been able to ping each other and communicate - including site b => site c (via site a, of course).

    this morning I connected a SIP extension on a new roadwarrior setup I created. roadwarrior could see all resources on all subnets, but for some reason, audio wasn't working (SIP signaling worked fine, suggesting RTP traffic wasn't travelling where it needed to go). i have another roadwarrior setup on a tablet that works fine, and this roadwarrior setup has worked fine on another computer previously, so it should only be a matter of traffic.

    I looked at the firewall rules to see what might be causing the problem, and noticed that some outbound traffic was being blocked from one of the VPNs. Weird, since there was a rule for each vpn stating that all traffic in and out of all vpns should be allowed. I had a problem in the past with something not working in pfsense, so I deleted and recreated the setting and everything worked fine again.

    I deleted all rules under OpenVPN and created one that should allow all traffic between all vpns, but now no traffic works at all.

    Find attached a screenshot of the rule.

    Can someone shed some light on what I'm not understanding here, please? I want everything to work through all VPNs, but as I don't see a way to attach a rule to a vpn setup/config, this one rule should operate for all vpns, right?

    Thanks in advance.


  • Netgate

    I looked at the firewall rules to see what might be causing the problem, and noticed that some outbound traffic was being blocked from one of the VPNs. Weird, since there was a rule for each vpn stating that all traffic in and out of all vpns should be allowed. I had a problem in the past with something not working in pfsense, so I deleted and recreated the setting and everything worked fine again.

    What traffic was being blocked?

    The rules on the OpenVPN tab govern connections coming into the OpenVPN interface from the clients, not outbound.



  • @Derelict:

    The rules on the OpenVPN tab govern connections coming into the OpenVPN interface from the clients, not outbound.

    I see! Thanks for the clarity. I've added a couple new rules below - do you think this should now allow all OpenVPN communication to and from? Failing that, there's an option in interfaces to assign an ID to each OpenVPN connection. I could do this, and then set up rules to and from in a similar way, don't you think? Not sure if you know whether this might break something else?

    The blocked traffic is on port 80, for a different server that functions almost correctly anyway, so I doubt it's causing the current issue, but I thought in principle this kind of thing might be why I'm having problems.



  • Netgate



  • @Derelict:

    No.  You need to understand this:

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Appreciated, I will read the link carefully to understand what's happening there.

    Considering there is no firewall record for blocking the RTP traffic, however, might you know I could resolve the issue of the OpenVPN not passing RTP media traffic when used on a separate computer? There is no firewall in LUbuntu from what I can tell, so the machine should not be blocking the traffic itself, and I cannot see a rule that would disallow the traffic…

    Thanks.


  • Netgate

    If the traffic is being sent out the tunnel, any blocking is being done at the client end.

    pfSense filters traffic as it enters the firewall.  So if you have a SIP server on LAN, rules passing traffic from the SIP server into pfSense will be on LAN.  After the traffic enters the firewall, it can freely leave on any destination interface, including being sent into OpenVPN.

    If the traffic is being blocked, there should be logs to that effect.

    I use SIP over OpenVPN every day.  Didn't have to do anything special.



  • @Derelict:

    If the traffic is being sent out the tunnel, any blocking is being done at the client end.

    pfSense filters traffic as it enters the firewall.  So if you have a SIP server on LAN, rules passing traffic from the SIP server into pfSense will be on LAN.  After the traffic enters the firewall, it can freely leave on any destination interface, including being sent into OpenVPN.

    If the traffic is being blocked, there should be logs to that effect.

    I use SIP over OpenVPN every day.  Didn't have to do anything special.

    Thanks. I thought that would be the case, but sometimes when you stare at something too long you wonder if you're missing something obvious. I'll start swapping out programs - including the softphone - to see if maybe I have a buggy install of something like that.

    Mucho appreciado, when I find the answer I'll post back to resolve this thread.



  • After performing a series of packet captures and CLI debugs, it turns out the phone system is actually sending the RTP traffic to the local IP instead of the VPN allocated IP - no problem with pfsense at all. Thanks again for your help, at least I know my setup is working fine.