Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense 21.05.2 block traffic when it should not

    Scheduled Pinned Locked Moved
    Firewalling
    3
    3
    369
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rocco83
      last edited by

      Hi,

      I've experienced a OpenVPN issue since an upgrade on the VM pfsense.
      I'm running pfsense plus 21.05.2 on xg-7100 appliances

      Trigger of the issue:

      • The upgrade of the VPN server virtual machine from debian buster (kernel version 4.19.0-23, openvpn version 2.4.7-1+deb10u1) to debian bullseye (kernel version 5.10.0-23, openvpn version 2.5.1-3)

      Summary:

      • "big udp" packets gets dropped (>1500 bytes = MTU)
      • I noticed the issue because OSPF (VM to VM) was not able to start, remaining in Exchange/DR.

      Additional informations:

      • both VMs run in XEN hypervisor (NOT changed over the upgrade, not even rebooted)
      • possibly a newer kernel version triggered some offload mechanism
      • the Linux MTU is set to 1500 on both side
      • I see UDP packets coming from the VPN Server with a size of 1539 bytes

      Possibly similar to:
      https://forum.netgate.com/topic/123169/problems-with-mtu-and-dropped-packets
      https://forum.netgate.com/topic/180105/fragmentation-issue-on-ipsec-vti-tunnel
      And seems to fall perfectly in
      https://redmine.pfsense.org/issues/7779

      Network schema:
      There is a routed public ip subnet routed via pfsense.
      the schema is:
      VM1 in internet with public IP -- (INET) <- pfsense <- VM2 in internet with public IP

      VM2 connect to VM1 via UDP.

      Sample packet lost:

      00:26:01.322706 IP (tos 0x0, ttl 64, id 12359, offset 0, flags [+], proto UDP (17), length 1500)
    vpnserver.udpserverport > vpnclient.50052: UDP, length 1527
00:26:01.322725 IP (tos 0x0, ttl 64, id 12359, offset 1480, flags [none], proto UDP (17), length 75)
    vpnserver > vpnclient: ip-proto-17

      pfsense /var/log/filter.log logs:

      4,,,1000000103,lagg1.11,match,block,in,4,0x0,,59,7944,0,+,17,udp,1500,vpnserver,vpnclient,udpserverport,51858,1547
4,,,1000000103,lagg1.11,match,block,in,4,0x0,,59,7944,1480,none,17,udp,87,vpnserver,vpnclient,

      Expected result:
      pfsense should allow the traffic, as it is related to a connection started by the client

      Actual result:
      pfsense block & log the packets

      Workaround applied:
      a specific rule in the lagg.11 interface which allow the UDP traffic for the two endpoint (no port listed)

      1 Reply Last reply Reply Quote 0
      • R
        rcoleman-netgate Netgate
        last edited by

        My recommendation: Back up your config and upgrade.

        Ryan
        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
        Requesting firmware for your Netgate device? https://go.netgate.com
        Switching: Mikrotik, Netgear, Extreme
        Wireless: Aruba, Ubiquiti

        1 Reply Last reply Reply Quote 0
        • D
          DEHAAS
          last edited by

          Hi Rocco,

          Not sure it the same problem, but you may want to look at https://redmine.pfsense.org/issues/14396. It fixes the problem you are referring to for VTI tunnels, but the fix may be broader than that.

          / Christopher

          1 Reply Last reply Reply Quote 0
          • First post
            Last post