Project

General

Profile

Actions

Bug #12888

open

pfSense sends un-NATed packets during OpenVPN startup

Added by b b 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
All

Description

pfSense sometimes fails to NAT the LAN source address for packets sent to the WAN while an OpenVPN tunnel is initializing. I noticed this bug when my ISP's modem logged errors like:


num     date/time                       source IP       dest IP                 proto   reason
---------------------------------------------------------------------------------------------------------
146    2022-02-22T13:32:09.389745    192.168.x.y    <e.g., Google IP>    TCP    IP Source Address

while I was restarting OpenVPN. A packet capture on the WAN interface during this time shows un-NATed packets exiting WAN:


13:32:08.340316 <pfsense MAC> > <ISP modem MAC>, ethertype IPv4 (0x0800), length 139: (tos 0x0, ttl 127, id 0, offset 0, flags [DF], proto TCP (6), length 125)
    192.168.x.y.60004 > <e.g., Google IP>.443: Flags [P.], cksum 0x9f97 (correct), seq 3564024189:3564024274, ack 2514772943, win 1026, length 85
13:32:08.647718 <pfsense MAC> > <ISP modem MAC>, ethertype IPv4 (0x0800), length 139: (tos 0x0, ttl 127, id 0, offset 0, flags [DF], proto TCP (6), length 125)
    192.168.x.y.60004 > <e.g., Google IP>.443: Flags [P.], cksum 0x9f97 (correct), seq 0:85, ack 1, win 1026, length 85


(Note, the devices' clocks are not precisely synchronized)

I have put various "reject" floating rules on outbound WAN to prevent these packets from exiting [1], but they are ineffective: the packets still exit, and the rules show no activity. pfSense's diagnostics/states page shows many states of the form:


IGB1_LAN_ADMIN     tcp     192.168.x.y:60304 -> <website IP>:443     CLOSED:SYN_SENT     1 / 1     52 B / 80 B

where IGB1_LAN_ADMIN is one of my LAN interfaces. It has the 192.168.x.y address. There are no corresponding states of the form:


WAN_IGBO     tcp     <WAN IP>:40725 (192.168.x.y:60304) -> <website IP>:443     ESTABLISHED:ESTABLISHED     1.717 K / 1.683 K     113 KiB / 106 KiB

The bug can be reproduced nearly every time by restarting OpenVPN, then refreshing a web page repeatedly until after OpenVPN is up again.

I use a gateway group as the default gateway, with the VPN interface at high priority and WAN_IGB0 at lower priority.

I have only one package installed: service_watchdog.

I first noticed this issue on 2.6CE, but it might have existed in older versions.

Discussion of this issue is at https://forum.netgate.com/topic/170203/source-address-not-nated-during-openvpn-startup .

[1] e.g. action:block, quick, interface:WAN_IGB0, direction:out, family:IPV4+IPV6, protocol:any, source:RFC1918, destination:any, extra options:log, no advanced options.

No data to display

Actions

Also available in: Atom PDF