Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
[SOLVED] Weird network problems for one client after updating to 23.4.1
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Weird network problems for one client after updating to 23.4.1 (Read 2214 times)
Raketenmeyer
Jr. Member
Posts: 55
Karma: 7
[SOLVED] Weird network problems for one client after updating to 23.4.1
«
on:
June 19, 2023, 04:22:35 pm »
Hey,
we have weird network problems in conjunction with OpenVPN with our firewall after updating from 23.4 to 23.4.1 on a DEC3850 for a
single
employee.
The "Default deny / state violation rule" blocks randomly traffic from
one
of our OpenVPN connected employees although the corresponding traffic is alowed by rule(s). At times the traffic from this employee is blocked at all. All our clients are running Windows 10 using OpenVPN connect 3.3.7 and this setup is working for at least 1,5 years now.
In the live log it sometimes looks like alllow/deny ping pong - screenshots attached.
I'm a bit helpless at this point. What could be the reason that the traffic from a
single
employee is blocked while all others have normal access as expected? This employee has no (known) problems to access other parts of the internet at all - websites etc. working normal.
I have the feeling, that this problem has nothing to do with the update to 23.4.1, but it started right after the update, so I thought asking in the forum might be a good idea.
Has someone ever experienced such a problem?
«
Last Edit: June 20, 2023, 11:24:09 am by Raketenmeyer
»
Logged
zan
Full Member
Posts: 175
Karma: 31
Re: Weird network problems for one client after updating from 23.4 to 23.4.1
«
Reply #1 on:
June 19, 2023, 04:58:34 pm »
What are the 'tcpflags' of denied packets? If they are FA,FPA.RA,PA and the likes they are just out-of-state packets.
Logged
Raketenmeyer
Jr. Member
Posts: 55
Karma: 7
Re: Weird network problems for one client after updating from 23.4 to 23.4.1
«
Reply #2 on:
June 19, 2023, 06:41:47 pm »
It looks like most packages (blocked and passed) have only the "DF" flag assigned. Looking at the firewall plain view, the length of the blocked packages varies a lot - I've seen lengths from 90 to 1028 (btw. what unit is this? bit?). And also a few blocked packages with a length of 0.
Btw. rule 11 (line start) is the "Default deny / state violation rule".
«
Last Edit: June 19, 2023, 07:03:09 pm by Raketenmeyer
»
Logged
zan
Full Member
Posts: 175
Karma: 31
Re: Weird network problems for one client after updating from 23.4 to 23.4.1
«
Reply #3 on:
June 19, 2023, 07:14:32 pm »
Yeah I see mostly PA and RA got blocked, those are out-of-state packets.
Unless those are SYN or SYN-ACK you can safely ignore them.
Google out-of-state packets.
Edit: Some explanations
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
«
Last Edit: June 19, 2023, 07:18:13 pm by zan
»
Logged
Raketenmeyer
Jr. Member
Posts: 55
Karma: 7
Re: Weird network problems for one client after updating from 23.4 to 23.4.1
«
Reply #4 on:
June 19, 2023, 07:39:45 pm »
Thank you for the explanation - got it now, I looked at the wrong part of the line(s). Since only one employee has this problems (homeoffice), I assume some kind of internet problems like packet loss / flaky connection or a bad wlan connection on his side. Would you agree on that?
Logged
zan
Full Member
Posts: 175
Karma: 31
Re: Weird network problems for one client after updating from 23.4 to 23.4.1
«
Reply #5 on:
June 20, 2023, 05:27:47 am »
Yes, also devices woke up from sleep, phone devices flipped between mobile data & wlan etc.
Unless you are seeing a flood of these - they are just noise (part of connection teardowns), I wouldn't worry much.
May want to play around with firewall optimization setting for state timeouts and set to the one to your liking (Check the actual values with "pfctl -st").
Personally I use high-latency, I found the default is a tad too short.
Logged
Raketenmeyer
Jr. Member
Posts: 55
Karma: 7
Re: Weird network problems for one client after updating from 23.4 to 23.4.1
«
Reply #6 on:
June 20, 2023, 11:21:21 am »
The problem is so serious for this employee that he is not able to work from home anymore and the logs are full of FA, RA and PA entries if he tries to. In the next step I'll try to find the root cause in his homeoffice.
Thank you very much - I've learned a lot
«
Last Edit: June 20, 2023, 11:27:03 am by Raketenmeyer
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
[SOLVED] Weird network problems for one client after updating to 23.4.1