Re: [pfSense] PFSense breaks TCP-Sessions

2016-05-03 Thread WebDawg 
Did you try ipv6 inside the tunnel also?

On Tue, May 3, 2016 at 1:56 PM, Jens Kühnel 
wrote:

> Am 01.05.2016 um 18:29 schrieb WebDawg:
> >
> >
> > On 05/01/2016 08:15 AM, Jens Kühnel wrote:
> >> Hi,
> >>
> >> I'm a very satisfied PFSense User for a very long time, but I'm running
> >> into a problem that I can not fix, even after a long time of searching.
> >>
> >> To get a real IPv4-Address to my home with only a DSLite connection. I'm
> >> using PFSense with OpenVPN via UDP6 to transport a real IP-Address from
> >> my Hosting Provider (Hetzner) to my home. The problem occurs with
> >> PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with
> >> openvpn-2.3.10-1.el7.x86_64.
> >>
> >> I can create the tunnel and ping without any problem. Sometimes I can
> >> also use TCP without a problem. But most of the time not. The Problem
> >> happens only from the internet to my home and without a detectable
> >> pattern. (time, load on the link, source/destionation ip, Port)
> >> tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and
> >> TCP Dup Acks.
> >> From my homenetwork to the Internet there is no problem.
> >>
> >>
> >> My first Idea was MTU, but decrease the MTU did not help. Also the
> >> option mut-test shows on both sides:
> >>  Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584]
> >> remote->local=[1584,1584]
> >>
> >> My second idea (or that of a friend) was bad offloading. So I disabled
> >> all kinds of offloading with this:
> >> ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
> >> -vlanhwfilter -vlanhwtso
> >> ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
> >> -vlanhwfilter -vlanhwtso
> >> Without any help.
> >>
> >> Yesterday I freed up another IP and configured a Linux-Machine as a
> >> replacement of the PFSense. With iptables and openvpn and here
> >> everything works without any problems.
> >>
> >> So the problem is PFsense or my misconfiguration of PFSense.
> >>
> >> I really would like to continue to use PFSense, so can anyone give a
> >> hint how to fix this or at least what it can be and where to search.
> >>
> >> CU
> >> Jens
> >>
> >> P.S.:
> >>
> >> My setup:
> >>
> >> The PFSense has a IPV6 Addresse and gets the IPV4 address via the
> >> openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in
> >> 192.168.*) in 3 VLANS and use NAT via the Public IP.
> >> PFSense forwards 443 to a internal HTTPS Server and a High Port to a
> >> SSH-Server.
> >>
> >> This setup (without the OpenVPN Tunnel) was working without a problem
> >> for 2 Years before I moved to a new City with this new setup.
> >>
> >> ___
> >>
> >
> >
> > Did you increase the verbosity of OpenVPN logging and see what OpenVPN
> > is reporting?  Can you?  Pastebin?
> Hi,
>
> Here I run it with verb 4 on both sides. But nothing fancy is shown.
>
> The output can be found here:
>
> https://paste.fedoraproject.org/362219/46229582/
>
>
> Thanks for the help.
> CU
> Jens
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense breaks TCP-Sessions

2016-05-03 Thread Jens Kühnel 
Am 01.05.2016 um 18:29 schrieb WebDawg:
> 
> 
> On 05/01/2016 08:15 AM, Jens Kühnel wrote:
>> Hi,
>>
>> I'm a very satisfied PFSense User for a very long time, but I'm running
>> into a problem that I can not fix, even after a long time of searching.
>>
>> To get a real IPv4-Address to my home with only a DSLite connection. I'm
>> using PFSense with OpenVPN via UDP6 to transport a real IP-Address from
>> my Hosting Provider (Hetzner) to my home. The problem occurs with
>> PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with
>> openvpn-2.3.10-1.el7.x86_64.
>>
>> I can create the tunnel and ping without any problem. Sometimes I can
>> also use TCP without a problem. But most of the time not. The Problem
>> happens only from the internet to my home and without a detectable
>> pattern. (time, load on the link, source/destionation ip, Port)
>> tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and
>> TCP Dup Acks.
>> From my homenetwork to the Internet there is no problem.
>>
>>
>> My first Idea was MTU, but decrease the MTU did not help. Also the
>> option mut-test shows on both sides:
>>  Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584]
>> remote->local=[1584,1584]
>>
>> My second idea (or that of a friend) was bad offloading. So I disabled
>> all kinds of offloading with this:
>> ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
>> -vlanhwfilter -vlanhwtso
>> ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
>> -vlanhwfilter -vlanhwtso
>> Without any help.
>>
>> Yesterday I freed up another IP and configured a Linux-Machine as a
>> replacement of the PFSense. With iptables and openvpn and here
>> everything works without any problems.
>>
>> So the problem is PFsense or my misconfiguration of PFSense.
>>
>> I really would like to continue to use PFSense, so can anyone give a
>> hint how to fix this or at least what it can be and where to search.
>>
>> CU
>> Jens
>>
>> P.S.:
>>
>> My setup:
>>
>> The PFSense has a IPV6 Addresse and gets the IPV4 address via the
>> openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in
>> 192.168.*) in 3 VLANS and use NAT via the Public IP.
>> PFSense forwards 443 to a internal HTTPS Server and a High Port to a
>> SSH-Server.
>>
>> This setup (without the OpenVPN Tunnel) was working without a problem
>> for 2 Years before I moved to a new City with this new setup.
>>
>> ___
>>
> 
> 
> Did you increase the verbosity of OpenVPN logging and see what OpenVPN
> is reporting?  Can you?  Pastebin?
Hi,

Here I run it with verb 4 on both sides. But nothing fancy is shown.

The output can be found here:

https://paste.fedoraproject.org/362219/46229582/


Thanks for the help.
CU
Jens

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] PFSense breaks TCP-Sessions

2016-05-01 Thread Jens Kühnel 
Hi,

I'm a very satisfied PFSense User for a very long time, but I'm running
into a problem that I can not fix, even after a long time of searching.

To get a real IPv4-Address to my home with only a DSLite connection. I'm
using PFSense with OpenVPN via UDP6 to transport a real IP-Address from
my Hosting Provider (Hetzner) to my home. The problem occurs with
PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with
openvpn-2.3.10-1.el7.x86_64.

I can create the tunnel and ping without any problem. Sometimes I can
also use TCP without a problem. But most of the time not. The Problem
happens only from the internet to my home and without a detectable
pattern. (time, load on the link, source/destionation ip, Port)
tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and
TCP Dup Acks.
>From my homenetwork to the Internet there is no problem.


My first Idea was MTU, but decrease the MTU did not help. Also the
option mut-test shows on both sides:
 Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584]
remote->local=[1584,1584]

My second idea (or that of a friend) was bad offloading. So I disabled
all kinds of offloading with this:
ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
-vlanhwfilter -vlanhwtso
ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
-vlanhwfilter -vlanhwtso
Without any help.

Yesterday I freed up another IP and configured a Linux-Machine as a
replacement of the PFSense. With iptables and openvpn and here
everything works without any problems.

So the problem is PFsense or my misconfiguration of PFSense.

I really would like to continue to use PFSense, so can anyone give a
hint how to fix this or at least what it can be and where to search.

CU
Jens

P.S.:

My setup:

The PFSense has a IPV6 Addresse and gets the IPV4 address via the
openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in
192.168.*) in 3 VLANS and use NAT via the Public IP.
PFSense forwards 443 to a internal HTTPS Server and a High Port to a
SSH-Server.

This setup (without the OpenVPN Tunnel) was working without a problem
for 2 Years before I moved to a new City with this new setup.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold