Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP Connection Not Working (LAN/OpenVPN)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elidevender
      last edited by

      Welcome!
      I am new to pfSense forums and I hope that I chose the correct category. I tried to solved it on StackExchange and the I realized, that this should be the right board.  ;)

      I am currently working on my network setup for educational purposes. pfSense is installed on a virtual machine on my proxmox node which is connected to my home router (fritz.box). There is another virtual machine on the node which is running a http server I want to access outside my network. Both virtual machines are connected to a basic linux bridge of proxmox without any firewall or routing configuration (acts as a normal switch). pfSense also host the dhcp server for this network which works fine.

      So I created a openvpn server from which I can access the lan of my VMs. OpenVPN pushes the route to the client and DHCP to the VMs in pfSense LAN. So I am able to connect to my openvpn server and I can ping all machines on the lan and the other way around. Now I started to work with TCP/HTTP(80) but there are a few problems. If I try to access an HTTP resource of my VM, the created connection cannot be established. The state of the server stucks at "SYN_RECV" and the client one at "SYN_SENT".
      I have tried to disable the firewall pf pfSense but this does not change anything.

      Network Structure:

      FritzBox LAN: 172.20.0.0/16 (Router as GW with 172.20.0.1) [ISP Connection/Should not be important]
      pfSense LAN: 10.44.2.0/24 (pfSense as GW with 10.4.2.254)
      pfSense OpenVPN: 10.44.3.0/24 (OpenVPN Server with 10.44.3.1, client-to-client disabled, using SSL/TLS, only Linux/Ubuntu/Debian machines)

      Remote clients are located in 172.20.0.0/24 or 0.0.0.0/0. My home router forwards the openvpn port to pfSense. (This part works fine, PING works)
      EDIT: Yes, the VM is also connected to my home lan for normal internet uplink. I have disabled it so the default route is through pfSense, but this does not change anything.

      VMs "ip -4 route":

      
      default via 172.20.0.1 dev eth0 
      10.44.2.0/24 dev eth2  proto kernel  scope link  src 10.44.2.11 
      10.44.3.0/24 via 10.44.2.254 dev eth2 
      172.20.0.0/16 dev eth0  proto kernel  scope link  src 172.20.4.2
      
      

      Client "ip -4 route":

      
      default via 172.20.0.1 dev enp6s0  proto static  metric 100 
      10.44.2.0/24 via 10.44.3.1 dev tun0  proto static  metric 50 
      10.44.3.0/24 dev tun0  proto kernel  scope link  src 10.44.3.2  metric 50 
      169.254.0.0/16 dev enp6s0  scope link  metric 1000 
      172.20.0.0/16 dev enp6s0  proto kernel  scope link  src 172.20.6.5  metric 100
      
      

      pfSense "netstat -r4":

      
      Routing tables
      
      Internet:
      Destination        Gateway            Flags      Netif Expire
      default            172.20.0.1         UGS      vtnet0
      10.44.1.0          link#2             U        vtnet1
      pve-snake-router   link#2             UHS         lo0
      10.44.2.0          link#3             U        vtnet2
      10.44.2.254        link#3             UHS         lo0
      10.44.3.0          10.44.3.1          UGS      ovpns1
      10.44.3.1          link#8             UHS         lo0
      10.44.3.2          link#8             UH       ovpns1
      localhost          link#6             UH          lo0
      172.20.0.0         link#1             U        vtnet0
      172.20.4.254       link#1             UHS         lo0
      
      

      After that, I analysed the tcp traffic with wireshark/tcpdump and it seems, that SYN and SYN,ACK ist sent correctly, but I cannot find the final ACK.

      VM Server:

      
      14:18:57.571985 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1308,sackOK,TS val 3098827 ecr 0,nop,wscale 7], length 0
      14:18:57.572006 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1460,sackOK,TS val 68259688 ecr 3098827,nop,wscale 7], length 0
      14:18:57.825934 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1308,sackOK,TS val 3098889 ecr 0,nop,wscale 7], length 0
      14:18:57.825952 IP 10.44.2.11.http > 10.44.3.2.42958: Flags [S.], seq 595037825, ack 2213274579, win 28960, options [mss 1460,sackOK,TS val 68259752 ecr 3098889,nop,wscale 7], length 0
      . . . . .
      
      Remote Client:
      [code]
      15:18:57.567020 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1460,sackOK,TS val 3098827 ecr 0,nop,wscale 7], length 0
      15:18:57.570249 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259688 ecr 3098827,nop,wscale 7], length 0
      15:18:57.817649 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1460,sackOK,TS val 3098889 ecr 0,nop,wscale 7], length 0
      15:18:57.835985 IP 10.44.2.11.http > 10.44.3.2.42958: Flags [S.], seq 595037825, ack 2213274579, win 28960, options [mss 1308,sackOK,TS val 68259752 ecr 3098889,nop,wscale 7], length 0
      15:18:58.567001 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1460,sackOK,TS val 3099077 ecr 0,nop,wscale 7], length 0
      15:18:58.568639 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259938 ecr 3098827,nop,wscale 7], length 0
      15:18:58.570778 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259938 ecr 3098827,nop,wscale 7], length 0
      15:18:58.815006 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1460,sackOK,TS val 3099139 ecr 0,nop,wscale 7], length 0
      . . . .
      
      Does anyone see my fault? :)[/s][/s][/s][/s][/code][/s][/s]
      
      1 Reply Last reply Reply Quote 0
      • E
        elidevender
        last edited by

        Any ideas?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.