On 05/01/2016 08:15 AM, Jens Kühnel wrote: > Hi, > > I'm a very satisfied PFSense User for a very long time, but I'm running > into a problem that I can not fix, even after a long time of searching. > > To get a real IPv4-Address to my home with only a DSLite connection. I'm > using PFSense with OpenVPN via UDP6 to transport a real IP-Address from > my Hosting Provider (Hetzner) to my home. The problem occurs with > PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with > openvpn-2.3.10-1.el7.x86_64. > > I can create the tunnel and ping without any problem. Sometimes I can > also use TCP without a problem. But most of the time not. The Problem > happens only from the internet to my home and without a detectable > pattern. (time, load on the link, source/destionation ip, Port) > tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and > TCP Dup Acks. > From my homenetwork to the Internet there is no problem. > > > My first Idea was MTU, but decrease the MTU did not help. Also the > option mut-test shows on both sides: > Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584] > remote->local=[1584,1584] > > My second idea (or that of a friend) was bad offloading. So I disabled > all kinds of offloading with this: > ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag > -vlanhwfilter -vlanhwtso > ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag > -vlanhwfilter -vlanhwtso > Without any help. > > Yesterday I freed up another IP and configured a Linux-Machine as a > replacement of the PFSense. With iptables and openvpn and here > everything works without any problems. > > So the problem is PFsense or my misconfiguration of PFSense. > > I really would like to continue to use PFSense, so can anyone give a > hint how to fix this or at least what it can be and where to search. > > CU > Jens > > P.S.: > > My setup: > > The PFSense has a IPV6 Addresse and gets the IPV4 address via the > openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in > 192.168.*) in 3 VLANS and use NAT via the Public IP. > PFSense forwards 443 to a internal HTTPS Server and a High Port to a > SSH-Server. > > This setup (without the OpenVPN Tunnel) was working without a problem > for 2 Years before I moved to a new City with this new setup. > > _______________________________________________ >
Did you increase the verbosity of OpenVPN logging and see what OpenVPN is reporting? Can you? Pastebin? _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
