I have a SRX240H2 which is connected to the internet. Behind this is one ethernet port with 3 internal VLANs (VLAN1,VLAN2,VLAN3) and one ethernet port without vlan taging which serves public IP addresses (PUBLIC).
Within VLAN1 I have a virtual pfsense Server which also has a (virtual) ethernet in PUBLIC. The pfsense ist configured to route all traffic that comes from the openvpn directly to the srx. This way all VPN traffic goes through the SRX firewall. This all works well and I can ping and mtr all internal IPs without package loss after connecting with OpenVPN to the pfsense. Also ssh works for all internal IPs at first. The only problem is that after 10 seconds of being connnected to a IP in VLAN1 the connection breaks with "broken pipe". Connecting to the other VLANs works flawlessly. Also connecting to the IP of the SRX within VLAN1 works without problems. I suspect that the SRX somehow has a problem with the fact that the packages have the same incomming and outgoing interface (come from pfsense within VLAN1 and go to a Host within VLAN1).
Could this be a problem?
For me it sounds like ASYMETRIC traffic flow, that the return traffic goes directly and not via the SRX
Typically to solve that you need to do a Interface Source-NAT of the originating traffic on the srx vlan 1 when going to Vlan 1, thus forces the return traffic to alos go via the SRX
In order to proof asymetric traffic you can look into the "show security flow sessions" and if for the problematic session you always see the return packets of 0 you have the proof
with best regards
I currently have no time to test this but will ASAP. One question though. Wouldn't that prevent any traffic to go through? The first 10 seconds of the ssh session work without problems. I can type any command and will get the corresponding output back. Just after the 10 seconds it breaks.
Another information is that the internal IP used by the OpenVPN tunnel and therefore the source address of all traffic that comes from the tunnel is another IP range (Lets call ist VLAN*4, regardless that it is not a Vlan in the sense of 802.1Q).
Therefore The Source address of the Package reaching the host in VLAN1 is coming from something outside its Network and is routed back to its default gateway which is the SRX.
Therefore the Traffic should be as follows:
VPN client (VLAN*4) -> PFSENSE (VLAN1) -> SRX (VLAN1) -> Server (VLAN1) -> SRX (VLAN1) -> PFSENSE (VLAN1) -> VPN Client
While I type these words I see that in mtr I only see
(VPN Client, not shown) -> SRX (VLAN1) -> Server (VLAN1). I Wonder why the Pfsense does not show as router.
If you have a assymteric routing, your TCP three way handshake will get completed in the client and server side , but not on the firewall. The firewall will keep the session for around 20 seconds and then close the session. Check this link for more details:-
it was indeed a assymetric routing problem. I also had to disable ICMP-Redirects (https://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/protocol-redirect-message-disabling.html) in the SRX. After that everything works fine.