TCP Connection Not Working (LAN/OpenVPN)



  • Welcome!
    I am new to pfSense forums and I hope that I chose the correct category. I tried to solved it on StackExchange and the I realized, that this should be the right board.  ;)

    I am currently working on my network setup for educational purposes. pfSense is installed on a virtual machine on my proxmox node which is connected to my home router (fritz.box). There is another virtual machine on the node which is running a http server I want to access outside my network. Both virtual machines are connected to a basic linux bridge of proxmox without any firewall or routing configuration (acts as a normal switch). pfSense also host the dhcp server for this network which works fine.

    So I created a openvpn server from which I can access the lan of my VMs. OpenVPN pushes the route to the client and DHCP to the VMs in pfSense LAN. So I am able to connect to my openvpn server and I can ping all machines on the lan and the other way around. Now I started to work with TCP/HTTP(80) but there are a few problems. If I try to access an HTTP resource of my VM, the created connection cannot be established. The state of the server stucks at "SYN_RECV" and the client one at "SYN_SENT".
    I have tried to disable the firewall pf pfSense but this does not change anything.

    Network Structure:

    FritzBox LAN: 172.20.0.0/16 (Router as GW with 172.20.0.1) [ISP Connection/Should not be important]
    pfSense LAN: 10.44.2.0/24 (pfSense as GW with 10.4.2.254)
    pfSense OpenVPN: 10.44.3.0/24 (OpenVPN Server with 10.44.3.1, client-to-client disabled, using SSL/TLS, only Linux/Ubuntu/Debian machines)

    Remote clients are located in 172.20.0.0/24 or 0.0.0.0/0. My home router forwards the openvpn port to pfSense. (This part works fine, PING works)
    EDIT: Yes, the VM is also connected to my home lan for normal internet uplink. I have disabled it so the default route is through pfSense, but this does not change anything.

    VMs "ip -4 route":

    
    default via 172.20.0.1 dev eth0 
    10.44.2.0/24 dev eth2  proto kernel  scope link  src 10.44.2.11 
    10.44.3.0/24 via 10.44.2.254 dev eth2 
    172.20.0.0/16 dev eth0  proto kernel  scope link  src 172.20.4.2
    
    

    Client "ip -4 route":

    
    default via 172.20.0.1 dev enp6s0  proto static  metric 100 
    10.44.2.0/24 via 10.44.3.1 dev tun0  proto static  metric 50 
    10.44.3.0/24 dev tun0  proto kernel  scope link  src 10.44.3.2  metric 50 
    169.254.0.0/16 dev enp6s0  scope link  metric 1000 
    172.20.0.0/16 dev enp6s0  proto kernel  scope link  src 172.20.6.5  metric 100
    
    

    pfSense "netstat -r4":

    
    Routing tables
    
    Internet:
    Destination        Gateway            Flags      Netif Expire
    default            172.20.0.1         UGS      vtnet0
    10.44.1.0          link#2             U        vtnet1
    pve-snake-router   link#2             UHS         lo0
    10.44.2.0          link#3             U        vtnet2
    10.44.2.254        link#3             UHS         lo0
    10.44.3.0          10.44.3.1          UGS      ovpns1
    10.44.3.1          link#8             UHS         lo0
    10.44.3.2          link#8             UH       ovpns1
    localhost          link#6             UH          lo0
    172.20.0.0         link#1             U        vtnet0
    172.20.4.254       link#1             UHS         lo0
    
    

    After that, I analysed the tcp traffic with wireshark/tcpdump and it seems, that SYN and SYN,ACK ist sent correctly, but I cannot find the final ACK.

    VM Server:

    
    14:18:57.571985 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1308,sackOK,TS val 3098827 ecr 0,nop,wscale 7], length 0
    14:18:57.572006 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1460,sackOK,TS val 68259688 ecr 3098827,nop,wscale 7], length 0
    14:18:57.825934 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1308,sackOK,TS val 3098889 ecr 0,nop,wscale 7], length 0
    14:18:57.825952 IP 10.44.2.11.http > 10.44.3.2.42958: Flags [S.], seq 595037825, ack 2213274579, win 28960, options [mss 1460,sackOK,TS val 68259752 ecr 3098889,nop,wscale 7], length 0
    . . . . .
    
    Remote Client:
    [code]
    15:18:57.567020 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1460,sackOK,TS val 3098827 ecr 0,nop,wscale 7], length 0
    15:18:57.570249 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259688 ecr 3098827,nop,wscale 7], length 0
    15:18:57.817649 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1460,sackOK,TS val 3098889 ecr 0,nop,wscale 7], length 0
    15:18:57.835985 IP 10.44.2.11.http > 10.44.3.2.42958: Flags [S.], seq 595037825, ack 2213274579, win 28960, options [mss 1308,sackOK,TS val 68259752 ecr 3098889,nop,wscale 7], length 0
    15:18:58.567001 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1460,sackOK,TS val 3099077 ecr 0,nop,wscale 7], length 0
    15:18:58.568639 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259938 ecr 3098827,nop,wscale 7], length 0
    15:18:58.570778 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259938 ecr 3098827,nop,wscale 7], length 0
    15:18:58.815006 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1460,sackOK,TS val 3099139 ecr 0,nop,wscale 7], length 0
    . . . .
    
    Does anyone see my fault? :)[/s][/s][/s][/s][/code][/s][/s]
    


  • Any ideas?


Log in to reply