Packets disappear between router and server

[`Orum]

I've got a router and a server, both running FreeBSD, and both connected to the same switch. For the most part, things work as expected; the server (and other hosts) can connect to multiple networks through the router just fine, and they can communicate between one another without issue (e.g. ssh). I can also connect to the router remotely via OpenVPN, and the OpenVPN tunnel itself works fine. For example, I can ssh into the router itself without issues.

The problem comes when I try to send traffic through OpenVPN to the server. I can actually see this traffic leave the router by using tcpdump on the egress interface:

# OpenVPN client is 172.168.0.18, the server it's trying to reach is 192.168.40.202, and this dump is from the router between them (which runs the OpenVPN server)
tcpdump -nqpi vlan40 proto \\udp and host 172.16.0.18
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan40, link-type EN10MB (Ethernet), capture size 262144 bytes
16:51:48.338621 IP 172.16.0.18.58658 > 192.168.40.202.53: UDP, length 40

However, this traffic mysteriously never appears on the ingress side on the server:

# Run at the same time on the server
tcpdump -nvvvi vlan40 host 172.16.0.18
tcpdump: listening on vlan40, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured

At first I thought this was due the switch between them dropping the traffic, as there aren't any other places that packets could be dropped. However, even after I swapped out this switch for one of a completely different make and model, the problem persists. The configuration looks proper on the server as well:

# Relevant lines from ifconfig
vlan40: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        inet 192.168.40.200 netmask 0xfffffe00 broadcast 192.168.41.255
        inet 192.168.40.202 netmask 0xffffffff broadcast 192.168.40.202
        groups: vlan
        vlan: 40 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active

...but the packets simply don't get there, even though other traffic on the same VLAN between the router and switch are handled just fine. Anyone have an idea what could be the cause?

 

[VladiBG]

What firewall do you have on the OpenVPN server?

 

[`Orum]

I'm using pf. However, there are rules to permit the traffic, and I don't believe I would see the egress traffic with tcpdump if it were being blocked.

Edit: The traffic is definitely being permitted by pf, as I can see an entry for it in the state table

all udp 192.168.40.202:53 <- 172.16.0.18:44220       NO_TRAFFIC:SINGLE
all udp 172.16.0.18:44220 -> 192.168.40.202:53       SINGLE:NO_TRAFFIC

 

[mumu]

What does your OpenVPN server configuration look like ?

 

[mer]

Dumb switch, smart/managed switch? Can you port mirror on the switch and capture the traffic from the router and then to the server?
The ifconfig output, that is for the input side of the server, yes?
Have you tried hitting the 40.200 address instead of the 40.202?

 

[`Orum]

What does your OpenVPN server configuration look like ?

On the server:

local <redacted>
port 1194
proto udp
dev tun0
topology subnet

ca certs/ca.crt
cert certs/server.crt
key certs/server.key
dh certs/dh2048.pem
tls-auth certs/ta.key 0
crl-verify certs/crl.pem

server 172.16.0.16 255.255.255.240
push "route 192.168.40.0 255.255.254.0"
push "route 192.168.60.0 255.255.252.0"
push "route 192.168.200.0 255.255.255.0"
push "route 192.168.182.0 255.255.255.0"
push "dhcp-option DNS 192.168.40.202"
push "dhcp-option DOMAIN redacted"

keepalive 20 120
cipher AES-128-GCM
max-clients 16

persist-key
persist-tun

verb 0
mute 5

Dumb switch, smart/managed switch? Can you port mirror on the switch and capture the traffic from the router and then to the server?
The ifconfig output, that is for the input side of the server, yes?
Have you tried hitting the 40.200 address instead of the 40.202?

It's a managed switch. I'm planning on mirroring the port connected to the router to see what is actually being sent over the wire, but haven't had the time yet to do so. The ifconfig is from the server, not the router. I will try connecting to the 200 address through the VPN when I get a chance, though I suspect it will be the same (due to the fact that I know the router can reach the .202 address, as DNS requests from the router resolve just fine).