[solved] Problem with inbound TLS connection

[Hunduster]

Hello everyone,

I have a problem with one of my mail gateways behind an OPNsense and two Internet connections.

WAN 1 - COLT fiber
WAN 2 - Vodafone DOCSIS

Both connections have fixed IP addresses. On each OPNsense, a static IP is entered on the WAN interfaces and the remaining IP addresses are created as CARP.

I have two mail gateways behind the firewall, where port 25 is forwarded to the gateways via DNAT. One CARP IP is forwarded to gateway 1 and one CARP IP to gateway 2. The rules are otherwise identical.

The whole thing works perfectly with the COLT connection. With the Vodafone connection, I cannot establish a TLS connection, only plain. With various TLS checks I always get the same error message:

Code Select Expand

Cannot convert to SSL (reason: SSL wants a read first)

So something is really messing up here.

I have already deactivated all possible security features such as IPS/IDS and Zenarmour. It's no use. The logs also show nothing. Firewall and DNAT rule let all packets through.

I'm slowly running out of ideas where else to look.

[Hunduster]

You won't believe it, but restarting the master node solved the problem. I double and triple checked everything for two days and then the  ::)

[Hunduster]

You won't believe it, but restarting the master node solved the problem. I double and triple checked everything for two days and then the  ::)

No, it has not been solved. Now, after a few minutes of mastering, I have the same error again :-(

[Hunduster]

It's always the little things that make a big difference! :D I have now been able to find out exactly what the problem was: MTU.

With our old firewall, I had set up an MTU of 1412 on the Vodafone connection. I had stupidly adopted this with OPNsense.
Now that I have set the MTU back to 1500, it is stable on all firewall nodes