Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Bridge (and SPAN) - No traffic

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      browner87
      last edited by

      Like the title says, I'm trying to span all VPN traffic to an interface (a VLAN on the LAN NIC to be specific). I'm using my new SG-2220.

      I added the VPN to an interface (ovpns1 -> "VPN"), then created the VLAN (VLAN 8 on igb1 -> "VPNSPAN").

      I then went under Bridges and added "VPN_Span_Bridge" with "VPN" as the only member interface, and "VPNSPAN" as the Span Port. Here are the shortened (a-bridged ;) ) results:

      igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:08:a2:09:7f:9d
        inet6 fe80::208:a2ff:fe09:7f9d%igb1 prefixlen 64 scopeid 0x2
        inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::208:a2ff:fe09:7f9c%ovpns1 prefixlen 64 scopeid 0x9
        inet 192.168.40.1 --> 192.168.40.2 netmask 0xffffffff
        nd6 options=21 <performnud,auto_linklocal>Opened by PID 37478
igb1_vlan8: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=3 <rxcsum,txcsum>ether 00:08:a2:09:7f:9d
        inet6 fe80::208:a2ff:fe09:7f9d%igb1_vlan8 prefixlen 64 scopeid 0xa
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 8 vlanpcp: 0 parent interface: igb1
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 02:9f:ac:9d:08:00
        nd6 options=1 <performnud>id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: igb1_vlan8 flags=8 ifmaxaddr 0 port 10 priority 0 path cost 0</performnud></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast>

      Now, I run the following on the pfSense appliance:

      tcpdump -nAi ovpns1 host 192.168.40.60

      I connect to VPN with my phone and browse imgur and I see the traffic going by.

      Now, I run this line:

      tcpdump -nAi bridge0 host 192.168.40.60

      And I don't see anything. Same for:

      tcpdump -nAi igb1_vlan8 host 192.168.40.60

      Does anyone know why this isn't working? Does this have anything to do with OpenVPN being in UDP or TUN mode? (I don't think Android works in TAP mode, so hopefully TUN is fine…)/

      1 Reply Last reply Reply Quote 0
      • B Offline
        browner87
        last edited by

        So it turns out this is because my OpenVPN server is in TUN mode. However changing to TAP isn't really an option as my primary device (Android phone) will no longer be able to connect.

        All I want is to feed a copy of every VPN packet to an IDS system. Everything that leaves igb1 gets SPANned by my switch to the IDS. Is there a way to accomplish this SPANning?

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          Without using tap, there wouldn't be a way to do that in the GUI.

          If you feel like hacking the source, pf has a "dup-to" rule keyword to send copies of packets to another destination, you could add in some custom rules in filter.inc using that. Very easy to break something though, and it would get wiped out on upgrade of course.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • B Offline
            browner87
            last edited by

            Hmmm, okay so I'm talking with a friend who is probably going to help me with writing/committing a kernel patch to FreeBSD to enable TUN bridging, but that could be a while to both write and get released :s

            So I'd heard about this pf rules thing and I briefly Googled it with no success. I'll look for anything about "dup-to" and how to write such a rule though. Although I'm confused when you say it's easy to break something. I assume you mean if I made a grammar error I might lose network access to the box to fix the problem? If so I assume having a serial connection would render me "safe" to issues?

            Thanks very much for the reply!

            EDIT: I can't find /etc/pf.conf… Where would I find existing rule files? I assume I can just add my own along side?

            1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              The ruleset is generated by the code in filter.inc, the rules are output to /tmp/rules.debug. You cannot edit that file directly, you'd have to edit /etc/inc/filter.inc and find a place to insert the rules in the code.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • B Offline
                browner87
                last edited by

                Great, thanks! I'll try this next time I have a network maintenance window (aka the gf isn't home and won't mind the Internet being out) and I'll post back if I get any good results!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.