pfSense English Support > OpenVPN

OpenVPN TAP TCP traffic not passing, ICMP works

(1/2) > >>

shimpa:
hi folks,

Recently I've come across this strange issue with OpenVPN when using it in TAP mode.

It's set up correctly (well obviously it isn't since it's not working but I have no idea what to change).

- It's in Remote access mode (SSL/TLS with auth)
- no tunnel network
- bridged with LAN interface
- DHCP inside the LAN pool
- disabled compression
- TOS IP header checked
- Inter-client comm allowed
- allow duplicate connecitons
- allow dynamic IP changes
- Provide a virtual adapter IP address to clients
- no custom options

I've bridged the LAN and the TAP OpenVPN interface
- the bridge interface is enabled

On TAP OpenVPN interface and bridge interface as well as LAN interface there is allow any/any rule on top
There is an allow UDP/1199 on WAN (that's the service port, not using the default 1194)

The clients connect just fine, receive the IP address from the pfSense's LAN DHCP service as they should and ping works between the VPN clients and the actual LAN devices both ways (from LAN to OVPN client and vice versa).

Even UDP works (traceroute).

The issue is with TCP connections. I can't access the pfsense web config on LAN side. There's a lot of multicasting devices on the LAN side (Xboxes) and the states are there but can't seem to actually start a TCP session across the VPN.

I've played around with the MTU using the fragment xxxx;mssfix in the advanced options (the xxxx ranging from 1000 to 1400, tried about a dozen of random numbers) but that makes it only worse. No matter what MTU I set there nothing passes anymore, not even ICMP.

If anyone has any ideas I'd greatly appreciate it,

cheers,

Damir

tomtom13:
I was wondering whenever you actually got to fix this issue.

I'm having a similar problem where TCP can't get to pfsense main gui over VPN but ping get there just fine. I also am not able to query DNS that is on pf sense over vpn ... which is mighty bizarre !

coffeecup25:

--- Quote from: tomtom13 on May 03, 2017, 01:43:11 pm ---I was wondering whenever you actually got to fix this issue.

I'm having a similar problem where TCP can't get to pfsense main gui over VPN but ping get there just fine. I also am not able to query DNS that is on pf sense over vpn ... which is mighty bizarre !

--- End quote ---

I can't speak to your problems, but I used this reference for my tap server and it worked perfectly out of the box.

https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/

Hope it helps.

johnpoz:
I am curious to why anyone would want to setup a tap vs a tun in the first place.. What is the use case that justifies tap?

kpa:

--- Quote from: johnpoz on May 05, 2017, 12:51:46 pm ---I am curious to why anyone would want to setup a tap vs a tun in the first place.. What is the use case that justifies tap?

--- End quote ---

Zeroconf/mDNS for the VPN client and similar multicast/broadcast based discovery services is just about the only thing I can think of.

Navigation

[0] Message Index

[#] Next page

Go to full version