Re: [pfSense] PFSense breaks TCP-Sessions
Did you try ipv6 inside the tunnel also? On Tue, May 3, 2016 at 1:56 PM, Jens Kühnelwrote: > Am 01.05.2016 um 18:29 schrieb WebDawg: > > > > > > On 05/01/2016 08:15 AM, Jens Kühnel wrote: > >> Hi, > >> > >> I'm a very satisfied PFSense User for a very long time, but I'm running > >> into a problem that I can not fix, even after a long time of searching. > >> > >> To get a real IPv4-Address to my home with only a DSLite connection. I'm > >> using PFSense with OpenVPN via UDP6 to transport a real IP-Address from > >> my Hosting Provider (Hetzner) to my home. The problem occurs with > >> PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with > >> openvpn-2.3.10-1.el7.x86_64. > >> > >> I can create the tunnel and ping without any problem. Sometimes I can > >> also use TCP without a problem. But most of the time not. The Problem > >> happens only from the internet to my home and without a detectable > >> pattern. (time, load on the link, source/destionation ip, Port) > >> tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and > >> TCP Dup Acks. > >> From my homenetwork to the Internet there is no problem. > >> > >> > >> My first Idea was MTU, but decrease the MTU did not help. Also the > >> option mut-test shows on both sides: > >> Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584] > >> remote->local=[1584,1584] > >> > >> My second idea (or that of a friend) was bad offloading. So I disabled > >> all kinds of offloading with this: > >> ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag > >> -vlanhwfilter -vlanhwtso > >> ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag > >> -vlanhwfilter -vlanhwtso > >> Without any help. > >> > >> Yesterday I freed up another IP and configured a Linux-Machine as a > >> replacement of the PFSense. With iptables and openvpn and here > >> everything works without any problems. > >> > >> So the problem is PFsense or my misconfiguration of PFSense. > >> > >> I really would like to continue to use PFSense, so can anyone give a > >> hint how to fix this or at least what it can be and where to search. > >> > >> CU > >> Jens > >> > >> P.S.: > >> > >> My setup: > >> > >> The PFSense has a IPV6 Addresse and gets the IPV4 address via the > >> openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in > >> 192.168.*) in 3 VLANS and use NAT via the Public IP. > >> PFSense forwards 443 to a internal HTTPS Server and a High Port to a > >> SSH-Server. > >> > >> This setup (without the OpenVPN Tunnel) was working without a problem > >> for 2 Years before I moved to a new City with this new setup. > >> > >> ___ > >> > > > > > > Did you increase the verbosity of OpenVPN logging and see what OpenVPN > > is reporting? Can you? Pastebin? > Hi, > > Here I run it with verb 4 on both sides. But nothing fancy is shown. > > The output can be found here: > > https://paste.fedoraproject.org/362219/46229582/ > > > Thanks for the help. > CU > Jens > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] PFSense breaks TCP-Sessions
Am 01.05.2016 um 18:29 schrieb WebDawg: > > > On 05/01/2016 08:15 AM, Jens Kühnel wrote: >> Hi, >> >> I'm a very satisfied PFSense User for a very long time, but I'm running >> into a problem that I can not fix, even after a long time of searching. >> >> To get a real IPv4-Address to my home with only a DSLite connection. I'm >> using PFSense with OpenVPN via UDP6 to transport a real IP-Address from >> my Hosting Provider (Hetzner) to my home. The problem occurs with >> PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with >> openvpn-2.3.10-1.el7.x86_64. >> >> I can create the tunnel and ping without any problem. Sometimes I can >> also use TCP without a problem. But most of the time not. The Problem >> happens only from the internet to my home and without a detectable >> pattern. (time, load on the link, source/destionation ip, Port) >> tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and >> TCP Dup Acks. >> From my homenetwork to the Internet there is no problem. >> >> >> My first Idea was MTU, but decrease the MTU did not help. Also the >> option mut-test shows on both sides: >> Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584] >> remote->local=[1584,1584] >> >> My second idea (or that of a friend) was bad offloading. So I disabled >> all kinds of offloading with this: >> ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag >> -vlanhwfilter -vlanhwtso >> ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag >> -vlanhwfilter -vlanhwtso >> Without any help. >> >> Yesterday I freed up another IP and configured a Linux-Machine as a >> replacement of the PFSense. With iptables and openvpn and here >> everything works without any problems. >> >> So the problem is PFsense or my misconfiguration of PFSense. >> >> I really would like to continue to use PFSense, so can anyone give a >> hint how to fix this or at least what it can be and where to search. >> >> CU >> Jens >> >> P.S.: >> >> My setup: >> >> The PFSense has a IPV6 Addresse and gets the IPV4 address via the >> openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in >> 192.168.*) in 3 VLANS and use NAT via the Public IP. >> PFSense forwards 443 to a internal HTTPS Server and a High Port to a >> SSH-Server. >> >> This setup (without the OpenVPN Tunnel) was working without a problem >> for 2 Years before I moved to a new City with this new setup. >> >> ___ >> > > > Did you increase the verbosity of OpenVPN logging and see what OpenVPN > is reporting? Can you? Pastebin? Hi, Here I run it with verb 4 on both sides. But nothing fancy is shown. The output can be found here: https://paste.fedoraproject.org/362219/46229582/ Thanks for the help. CU Jens ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] PFSense breaks TCP-Sessions
Hi, I'm a very satisfied PFSense User for a very long time, but I'm running into a problem that I can not fix, even after a long time of searching. To get a real IPv4-Address to my home with only a DSLite connection. I'm using PFSense with OpenVPN via UDP6 to transport a real IP-Address from my Hosting Provider (Hetzner) to my home. The problem occurs with PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with openvpn-2.3.10-1.el7.x86_64. I can create the tunnel and ping without any problem. Sometimes I can also use TCP without a problem. But most of the time not. The Problem happens only from the internet to my home and without a detectable pattern. (time, load on the link, source/destionation ip, Port) tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and TCP Dup Acks. >From my homenetwork to the Internet there is no problem. My first Idea was MTU, but decrease the MTU did not help. Also the option mut-test shows on both sides: Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584] remote->local=[1584,1584] My second idea (or that of a friend) was bad offloading. So I disabled all kinds of offloading with this: ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag -vlanhwfilter -vlanhwtso ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag -vlanhwfilter -vlanhwtso Without any help. Yesterday I freed up another IP and configured a Linux-Machine as a replacement of the PFSense. With iptables and openvpn and here everything works without any problems. So the problem is PFsense or my misconfiguration of PFSense. I really would like to continue to use PFSense, so can anyone give a hint how to fix this or at least what it can be and where to search. CU Jens P.S.: My setup: The PFSense has a IPV6 Addresse and gets the IPV4 address via the openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in 192.168.*) in 3 VLANS and use NAT via the Public IP. PFSense forwards 443 to a internal HTTPS Server and a High Port to a SSH-Server. This setup (without the OpenVPN Tunnel) was working without a problem for 2 Years before I moved to a new City with this new setup. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold