I am currently working on my network setup for educational purposes. pfSense is installed on a virtual machine on my proxmox node which is connected to my home router (fritz.box). There is another virtual machine on the node which is running a http server I want to access outside my network. Both virtual machines are connected to a basic linux bridge of proxmox without any firewall or routing configuration (acts as a normal switch). pfSense also host the dhcp server for this network which works fine.

So I created a openvpn server from which I can access the lan of my VMs. OpenVPN pushes the route to the client and DHCP to the VMs in pfSense LAN. So I am able to connect to my openvpn server and I can ping all machines on the lan and the other way around. Now I started to work with TCP/HTTP(80) but there are a few problems. If I try to access an HTTP resource of my VM, the created connection cannot be established. The state of the server stucks at "SYN_RECV" and the client one at "SYN_SENT".
I have tried to disable the firewall pf pfSense but this does not change anything.

Network Structure:

FritzBox LAN: 172.20.0.0/16 (Router as GW with 172.20.0.1) [ISP Connection/Should not be important]
pfSense LAN: 10.44.2.0/24 (pfSense as GW with 10.4.2.254)
pfSense OpenVPN: 10.44.3.0/24 (OpenVPN Server with 10.44.3.1, client-to-client disabled, using SSL/TLS, only Linux/Ubuntu/Debian machines)

Remote clients are located in 172.20.0.0/24 or 0.0.0.0/0. My home router forwards the openvpn port to pfSense. (This part works fine, PING works)
EDIT: Yes, the VM is also connected to my home lan for normal internet uplink. I have disabled it so the default route is through pfSense, but this does not change anything.

VMs "ip -4 route":

default via 172.20.0.1 dev eth0 
10.44.2.0/24 dev eth2  proto kernel  scope link  src 10.44.2.11 
10.44.3.0/24 via 10.44.2.254 dev eth2 
172.20.0.0/16 dev eth0  proto kernel  scope link  src 172.20.4.2

Client "ip -4 route":

default via 172.20.0.1 dev enp6s0  proto static  metric 100 
10.44.2.0/24 via 10.44.3.1 dev tun0  proto static  metric 50 
10.44.3.0/24 dev tun0  proto kernel  scope link  src 10.44.3.2  metric 50 
169.254.0.0/16 dev enp6s0  scope link  metric 1000 
172.20.0.0/16 dev enp6s0  proto kernel  scope link  src 172.20.6.5  metric 100

pfSense "netstat -r4":

Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            172.20.0.1         UGS      vtnet0
10.44.1.0          link#2             U        vtnet1
pve-snake-router   link#2             UHS         lo0
10.44.2.0          link#3             U        vtnet2
10.44.2.254        link#3             UHS         lo0
10.44.3.0          10.44.3.1          UGS      ovpns1
10.44.3.1          link#8             UHS         lo0
10.44.3.2          link#8             UH       ovpns1
localhost          link#6             UH          lo0
172.20.0.0         link#1             U        vtnet0
172.20.4.254       link#1             UHS         lo0

After that, I analysed the tcp traffic with wireshark/tcpdump and it seems, that SYN and SYN,ACK ist sent correctly, but I cannot find the final ACK.

VM Server:

14:18:57.571985 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1308,sackOK,TS val 3098827 ecr 0,nop,wscale 7], length 0
14:18:57.572006 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1460,sackOK,TS val 68259688 ecr 3098827,nop,wscale 7], length 0
14:18:57.825934 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1308,sackOK,TS val 3098889 ecr 0,nop,wscale 7], length 0
14:18:57.825952 IP 10.44.2.11.http > 10.44.3.2.42958: Flags [S.], seq 595037825, ack 2213274579, win 28960, options [mss 1460,sackOK,TS val 68259752 ecr 3098889,nop,wscale 7], length 0
. . . . .

Remote Client:
[code]
15:18:57.567020 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1460,sackOK,TS val 3098827 ecr 0,nop,wscale 7], length 0
15:18:57.570249 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259688 ecr 3098827,nop,wscale 7], length 0
15:18:57.817649 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1460,sackOK,TS val 3098889 ecr 0,nop,wscale 7], length 0
15:18:57.835985 IP 10.44.2.11.http > 10.44.3.2.42958: Flags [S.], seq 595037825, ack 2213274579, win 28960, options [mss 1308,sackOK,TS val 68259752 ecr 3098889,nop,wscale 7], length 0
15:18:58.567001 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1460,sackOK,TS val 3099077 ecr 0,nop,wscale 7], length 0
15:18:58.568639 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259938 ecr 3098827,nop,wscale 7], length 0
15:18:58.570778 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259938 ecr 3098827,nop,wscale 7], length 0
15:18:58.815006 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1460,sackOK,TS val 3099139 ecr 0,nop,wscale 7], length 0
. . . .

Does anyone see my fault? :)[/s][/s][/s][/s][/code][/s][/s]