pf fails to create state entries to OpenVPN-initiated sessions

["Kiss Zoltán"]

Hi,

My company has a strange problem with OpenVPN under FreeBSD 7.0. The configuration is the following:

Our central NAT firewall/VPN endpoint has two physical interfaces, one for the public Internet (called ext), and one for our intranet (int, 192.168.1.0/24). On ext there are IPSec tunnels to remote offices through gif interfaces, and int is bridged to tap0, which is used by OpenVPN. Users can seamlessly login, and access the central subnet, but there are strange effects when someone wants to access branch office networks. Note, that pf has “set skip” options on all gif interface, on the bridge0 if and on tap0, to avoid on this side. So as I mentioned, OpenVPN users can access the 192.168.1.0/24 network, but when they send a packet to a remote subnet (e.g. 192.168.2.0/24), sometimes the firewall isn’t create a state entry, and so TCP sessions cannot be established. See this example:

2008-09-03 19:03:35.919390 rule 41/0(match): pass out on int: 192.168.1.100.55754 > 192.168.1.1.53: 61937+[|domain]
2008-09-03 19:03:36.147102 rule 0/0(match): block out on int: 192.168.2.1.3389 > 192.168.1.100.38289: S 1952258627:1952258627(0) ack 479606554 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]>
2008-09-03 19:03:38.682145 rule 0/0(match): block out on int: 192.168.2.1.3389 > 192.168.1.100.38289: S 1952258627:1952258627(0) ack 479606554 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]>

.1.100 is an OpenVPN client, as you see it passes pf to central subnet. But on next two row, where .2.1 is a terminal server, you can see only answer packets to TCP session initiation, which are blocked in the lack of state entry. But what’s more strange, when I want to start an RDP session again to the same server 2 minutes later, it works properly! :

2008-09-03 19:05:28.237872 rule 7/0(match): pass in on int: 192.168.1.100.38293 > 192.168.2.1.3389: S 2231405925:2231405925(0) win 5840 <mss 1336,sackOK,timestamp 236974897[|tcp]>

And I didn’t make any change on the firewall in this 2 minute! And this happens quite randomly, so I’m quite confused why it happens. The related firewall rules:

@7 pass in log on int inet from 192.168.1.0/24 to any flags S/SA keep state
@41 pass out log on inet inet from 192.168.1.0/24 to any flags S/SA keep state
@42 pass in log on int inet from any to 192.168.16.0/24 flags S/SA keep state

I tried to let it as permissive as possible. There isn’t any dynamic routing on this intranet, and inside the physical networks of our offices anybody can access anybody without any problem. My expectation, that if a packet comes from VPN client, it goes through tap0, bridge0, where it’s not filtered, pass in on int, and create a state entry, but somehow it doesn’t happens always. Do you have any idea how can I investigate this problem? Any suggestions are welcomed.

Regards,

Zoltán, Kiss