Hello everyone,
I have a problem with one of my mail gateways behind an OPNsense and two Internet connections.
WAN 1 - COLT fiber
WAN 2 - Vodafone DOCSIS
Both connections have fixed IP addresses. On each OPNsense, a static IP is entered on the WAN interfaces and the remaining IP addresses are created as CARP.
I have two mail gateways behind the firewall, where port 25 is forwarded to the gateways via DNAT. One CARP IP is forwarded to gateway 1 and one CARP IP to gateway 2. The rules are otherwise identical.
The whole thing works perfectly with the COLT connection. With the Vodafone connection, I cannot establish a TLS connection, only plain. With various TLS checks I always get the same error message: Cannot convert to SSL (reason: SSL wants a read first)
So something is really messing up here.
I have already deactivated all possible security features such as IPS/IDS and Zenarmour. It's no use. The logs also show nothing. Firewall and DNAT rule let all packets through.
I'm slowly running out of ideas where else to look.
You won't believe it, but restarting the master node solved the problem. I double and triple checked everything for two days and then the ::)
Quote from: Hunduster on March 01, 2024, 05:21:26 PM
You won't believe it, but restarting the master node solved the problem. I double and triple checked everything for two days and then the ::)
No, it has not been solved. Now, after a few minutes of mastering, I have the same error again :-(
It's always the little things that make a big difference! :D I have now been able to find out exactly what the problem was: MTU.
With our old firewall, I had set up an MTU of 1412 on the Vodafone connection. I had stupidly adopted this with OPNsense.
Now that I have set the MTU back to 1500, it is stable on all firewall nodes