• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Biggest ping size

General pfSense Questions
3
9
9.2k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    simpat1zq
    last edited by Dec 28, 2005, 3:06 AM

    When I try to ping the LAN interface with anything larger than 25152 bytes, it fails. If I ping it with 25152 bytes exactly, it takes roughly 40 ms. So I have a few questions:

    Why is that limited to 25152 bytes? Is that by design? Why such a weird number(it's a palindrome too)?

    How come the ping takes 40ms when a normal ping over 100mbit takes 4ms? Is it because it has to do some processing on it first, as far as firewall rules and such?

    thx

    1 Reply Last reply Reply Quote 0
    • S
      sullrich
      last edited by Dec 28, 2005, 7:17 PM

      Research this… (hint: its by design!)

      sysctl -a | grep icmplim

      net.inet.icmp.icmplim: 200
      net.inet.icmp.icmplim_output: 1

      1 Reply Last reply Reply Quote 0
      • S
        simpat1zq
        last edited by Dec 29, 2005, 12:50 AM

        ok, i have NO clue what that means. But I'll give it a shot(I don't know anything about freebsd).

        I'm guessing that 'icmplim' is short for icmp limit. 25152 bytes = 201.216 kilobits. So I'm guessing that's where the 200 is coming from (does that 1.216 have something to do with overhead?).

        So why is the limit at 200? Is that there a technical limitation, or is that just some number someone decided to use?

        And why does it take longer for the firewall box to respond than a windows pc(which can handle ICMP up to 65500 bytes)? (neither one of them had much load(~6% cpu) on them when I was doing these pings)

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Dec 29, 2005, 12:52 AM

          Read http://www.m0n0.ch/wall/list/showmsg.php?id=151/77

          1 Reply Last reply Reply Quote 0
          • S
            simpat1zq
            last edited by Dec 29, 2005, 2:43 AM

            well, I'm confused more now(but at least I'm learning something).

            When I run the 'ping -f -c 100000 192.168.1.XXX' command to another computer or to the pfsense box, I get a message saying "ping: cannot flood; minimal interval, allowed for user, is 200ms".(I had to run that command from a linux box btw).

            Is that the same '200' that was in the sysctl output? Does Windows have that same 200 ms limit?

            And if I understand the ping options correctly, your (trying to) flood the IP addy with 100000 ICMP requests, hoping to get 100000 answers back, but the device gets 2 requests within 200 ms, and calls shenanigins on you before you can finish the rest, is that right? I'm guessing this is to stop DOS attacks?

            If that's right then let's get back to the 25152 limit. Is the request getting split into 2 peices which are coming one after another(within 200 ms), and firewall rejects it?

            1 Reply Last reply Reply Quote 0
            • B
              billm
              last edited by Dec 29, 2005, 7:28 AM

              @simpat1zq:

              well, I'm confused more now(but at least I'm learning something).

              When I run the 'ping -f -c 100000 192.168.1.XXX' command to another computer or to the pfsense box, I get a message saying "ping: cannot flood; minimal interval, allowed for user, is 200ms".(I had to run that command from a linux box btw).

              Let me guess, you did that as a normal user?  Try doing that as root.

              @simpat1zq:

              Is that the same '200' that was in the sysctl output? Does Windows have that same 200 ms limit?

              Probably not and Windows doesn't have the limit

              @simpat1zq:

              And if I understand the ping options correctly, your (trying to) flood the IP addy with 100000 ICMP requests, hoping to get 100000 answers back, but the device gets 2 requests within 200 ms, and calls shenanigins on you before you can finish the rest, is that right? I'm guessing this is to stop DOS attacks?

              Basically

              @simpat1zq:

              If that's right then let's get back to the 25152 limit. Is the request getting split into 2 peices which are coming one after another(within 200 ms), and firewall rejects it?

              Two?  A lot more than 2.  Maximum segment size on a 10/100 ethernet segment is 1500 bytes - this includes IP and ICMP headers.  Any packets larger than this will get fragmented.  Using a 25152 sized packet guarantees many fragments.  This might be a pf limit btw, it'll reassemble fragments too, up to a certain size (not sure what that is offhand), then it'll start dropping the packets too, assuming it's under a resource starvation attack.

              –Bill

              pfSense core developer
              blog - http://www.ucsecurity.com/
              twitter - billmarquette

              1 Reply Last reply Reply Quote 0
              • S
                simpat1zq
                last edited by Dec 29, 2005, 2:06 PM

                yeah, I was doing it as regular user. I'll try it as root when I get home.

                Two?  A lot more than 2.

                Well if that's the case, shouldn't a 1501 byte ping fail, as that will send 2 packets within 200 ms.

                1 Reply Last reply Reply Quote 0
                • B
                  billm
                  last edited by Dec 29, 2005, 7:43 PM

                  @simpat1zq:

                  yeah, I was doing it as regular user. I'll try it as root when I get home.

                  Two?  A lot more than 2.

                  Well if that's the case, shouldn't a 1501 byte ping fail, as that will send 2 packets within 200 ms.

                  Read the rest of my post please.

                  –Bill

                  pfSense core developer
                  blog - http://www.ucsecurity.com/
                  twitter - billmarquette

                  1 Reply Last reply Reply Quote 0
                  • S
                    simpat1zq
                    last edited by Dec 29, 2005, 10:35 PM

                    Yeah, that's where I'm confused. sullrich seemed like he was implying that 'net.inet.icmp.icmplim: 200' was the reason this was happening. But it sounds like you're saying that this is happening because of something in pfsense. The thing I was mainly curious about is the reason 25152 is the limit, as opposed to another number.

                    1 Reply Last reply Reply Quote 0
                    7 out of 9
                    • First post
                      7/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.