Netgate SG-1000 microFirewall

Author Topic: ovpn issues / rules.debug  (Read 159 times)

0 Members and 1 Guest are viewing this topic.

Offline exlfrnk

  • Newbie
  • *
  • Posts: 11
  • Karma: +2/-0
    • View Profile
ovpn issues / rules.debug
« on: January 27, 2018, 08:44:25 am »
Hi,
running current pfsense 2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017

I have an ovpn client set up working and not working at the same time. I suspect i have multiple issues.

1: SInce a couple of days i get the bell in the header and:
There were error(s) loading the rules: /tmp/rules.debug:252: syntax error - The line in question reads [252]: pass out route-to ( ovpnc1 <ip-redacted> ) from <ip-redacted> to !/ tracker 1000006963 keep state allow-opts label &quot;let out anything from firewall host itself&quot;

Examining the line in rules.debug really shows the systax error must be after the from.... to   .  exclamation mark backslash  does not seem legit. Which process creates the rules?

2. Strangely enough, the tunnel gets used perfectly fine for smtp, but not anymore for my imap and http/s traffic. THose packets get dropped somewhere, without notice. How can i get a full log of all dropped packets?


Offline tylerjd

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-1
    • View Profile
Re: ovpn issues / rules.debug
« Reply #1 on: January 27, 2018, 07:34:22 pm »
I am also having this exact issue with the error, though I see no appreciable loss in the packets going through it on either side.

Perhaps you could tcpdump (using Diagnostics > Packet Capture on pfSense) both sides and then compare the two to see dropped packets?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21548
  • Karma: +1469/-26
    • View Profile
Re: ovpn issues / rules.debug
« Reply #2 on: January 29, 2018, 02:48:11 pm »
I take it from that error, you have the OpenVPN interface assigned. What settings do you have on the assigned interface? Any special settings?

Maybe you tried to put a Virtual IP on the OpenVPN interface? Or maybe there is some kind of broken Virtual IP entry that thinks it's on the VPN interface?
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline tylerjd

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-1
    • View Profile
Re: ovpn issues / rules.debug
« Reply #3 on: February 06, 2018, 12:13:01 am »
Yes it's an assigned OpenVPN, interface it's nothing special as far as I am aware, I do policy routing to it to act as a gateway for some machines but that's as fancy as it gets.

Attached is a screenshot of my interface settings for the OpenVPN tunnel, the IP set is the same one provided to it via the vpn tunnel.

I also have the suricata and freeradius packages installed, I don't know how much that'd impact this issue though.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21548
  • Karma: +1469/-26
    • View Profile
Re: ovpn issues / rules.debug
« Reply #4 on: February 06, 2018, 07:40:32 am »
Don't do that. Set the assigned interface to "None" for IPv4 and IPv6.

OpenVPN will manage the address internally, setting it there is messing it up.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!