This one has been annoying me for quite some time but I’m out of ideas to troubleshoot. I think this might lay in my outbound NAT settings (https://imgur.com/a/IC2lAFk) but I’m not sure. I’m hoping someone has seen this before or can give me some other troubleshooting tips.
I have two connections to ProtonVPN that I have setup in a Gateway Group as I was having issues with servers going down. This seems to work perfectly - if one of the connections goes down it automatically routes the traffic through the working connection - all ok.
I then use firewall rules and aliases to route the clients that I want to use the VPN - again all working fine.
So every now and then (on average about once a day) the internet connection will go down for most of the non-VPN clients and the VPN client’s connection will be reduced but still working. If I ping 22.214.171.124 from a non-VPN machine I get no reply and the same happens if I ping anything from the pfSense box - nothing. The Gateway Group status looks fine - all of my networks and ISP connections look ok and my VPN clients are still able to browse ok.
To fix it I have to restart both of the ProtonVPN client services and then bang, everything starts working perfectly again on both VPN and non-VPN machines.
The thing that seems to trigger this without fail is my friend connecting to my Plex server. While this issue is going on his connection is fine, doesn’t skip a beat. I have also had this issue without him connecting to me so I know it’s not just that causing it.
So the strange thing to me is that my setup with my VPN Gateway Group, etc all works perfectly for 90% of the day. Any ideas?
I’m running a gateway group too without it affecting the rest of the network. The only difference I can see is that I have set the rules to manual. Not sure what those ISAKMP rules are but I deleted everything and started from scratch when setting up pfsense.
Have to say my VPN servers are virtually never down … I wonder if you have set up the client correctly … perhaps select another set of VPN servers closer to your location
Thanks for your response. I followed the VPN client instructions to the letter and they don’t seem to go down much anymore. It was more that they got 100% full and unresponsive but I think since they’ve installed more servers it’s better now.
I’ve also tried another VPN service that I’m a member of as well. That had slightly different settings in the client but ended up doing exactly the same thing.
I might have a play around with my NAT settings - I’m not sure what those ISAKMP parts are but I might try disabling them temporarily and seeing what happens.
I’m close to ditching it all and giving OPNSense a go or something, this has been killing me and I can’t seem to get anywhere with it.
A quick look ISAKMP seems to be related IPsec, doubt it impacts your setup but it’s worth a try to disable it and see the effect. I suspect it’s a config error … kinda tricky to pinpoint it
I have disabled all of them and they haven’t made any difference all day - including fixing my issues.
I found some lines in my system logs that match the start times of these issues which points to my WAN having high latency and packet loss around this time.
I’m starting to wonder if I have an issue with buffer bloat or my WAN upload is getting smashed when a mate first loads a movie over Plex while it’s first buffering.
I’ve got no traffic limiters, etc setup so today I tried setting up some CODELQ rules that doesn’t seem to have fixed it either but I’m wondering whether I’ve set it up correctly as my Plex server sits on a separate VLAN so I’m looking into that now.
Even if your WAN is saturated I can’t see why it would take your openVPN client offline. Hmmm don’t really have any bright ideas but my gut feeling is the OpenVPN client config … perhaps post an image of it and I can see if there are any deltas with mine … I’m not keen on posting screenshots of my setup but it’s your call
So that’s the thing - it’s actually the opposite. When this issue happens my VPN clients that are routing through that gateway stay connected. It’s the regular LAN machines that are going straight out via the WAN that lose connection to everything.
But it isn’t until I restart the two OpenVPN clients that the regular LAN machines get a connection again.