Enable MSS clamping on VPN traffic doesn't work

ggzengel

Now again with more details:
I think the bad checksum is a interpreter failure, because the ping in the second part is working. Windows should ignore wrong packet.
Can somebody verify this?

Not working:
16:31:16.037859 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17458, offset 0, flags [none], proto ICMP (1), length 1419, bad cksum 80a1 (->81a1)!)
    10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 58999, length 1399
16:31:16.067375 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18113, offset 0, flags [+], proto ICMP (1), length 1412)
    192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 58999, length 1392
16:31:16.074431 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18113, offset 1392, flags [none], proto ICMP (1), length 27)
    192.168.165.77 > 10.19.1.150: icmp
16:31:17.784822 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17473, offset 0, flags [none], proto ICMP (1), length 1419, bad cksum 8092 (->8192)!)
    10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59008, length 1399
16:31:17.818824 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18114, offset 0, flags [+], proto ICMP (1), length 1412)
    192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59008, length 1392
16:31:17.822738 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18114, offset 1392, flags [none], proto ICMP (1), length 27)
    192.168.165.77 > 10.19.1.150: icmp
16:31:19.782495 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17488, offset 0, flags [none], proto ICMP (1), length 1419, bad cksum 8083 (->8183)!)
    10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59018, length 1399
16:31:19.811340 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18115, offset 0, flags [+], proto ICMP (1), length 1412)
    192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59018, length 1392
16:31:19.816631 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18115, offset 1392, flags [none], proto ICMP (1), length 27)
    192.168.165.77 > 10.19.1.150: icmp

Working:
16:31:28.509078 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17538, offset 0, flags [none], proto ICMP (1), length 1418, bad cksum 8052 (->8152)!)
    10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59061, length 1398
16:31:28.538236 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18116, offset 0, flags [none], proto ICMP (1), length 1418)
    192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59061, length 1398
16:31:29.521018 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17551, offset 0, flags [none], proto ICMP (1), length 1418, bad cksum 8045 (->8145)!)
    10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59068, length 1398
16:31:29.549053 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18117, offset 0, flags [none], proto ICMP (1), length 1418)
    192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59068, length 1398
16:31:30.535453 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17556, offset 0, flags [none], proto ICMP (1), length 1418, bad cksum 8040 (->8140)!)
    10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59073, length 1398
16:31:30.567739 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18118, offset 0, flags [none], proto ICMP (1), length 1418)
    192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59073, length 1398
16:31:31.549893 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17563, offset 0, flags [none], proto ICMP (1), length 1418, bad cksum 8039 (->8139)!)
    10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59080, length 1398
16:31:31.579935 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18119, offset 0, flags [none], proto ICMP (1), length 1418)
    192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59080, length 1398

cmb

MSS is TCP-only, it has no impact on ICMP, ICMP has no concept of MSS. It is setting the proper MSS clamping, just need to see some TCP traffic.

ggzengel

Today the max size is 1472 bytes.
ping -l 1473 doesn't reply.
ping -f -l 1473 says to clear DF bit.

I have changed ICMP rules to allow any ICMP from WAN and IPSEC.
But the webpage isn't reachable.

I can ping -l 1600 to bintec router, windows server, …

If i ping the areca controller over pfsense-pfsense it don't works to.
I never tried to ping a areca controller with ping -l 1473 befor. But the webpage worked befor.

14:39:08.407301 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19449, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 2348573:2349945, ack 707714766, win 1446, length 1372
14:39:08.413007 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19449, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.414011 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19450, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 1446:2818, ack 1, win 1446, length 1372
14:39:08.414218 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19450, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.414473 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19451, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 2892:4264, ack 1, win 1446, length 1372
14:39:08.414563 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19451, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.415757 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19452, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 4338:5710, ack 1, win 1446, length 1372
14:39:08.418103 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19452, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.418361 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19453, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 5784:7156, ack 1, win 1446, length 1372
14:39:08.418449 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19453, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.418707 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19454, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 7230:8602, ack 1, win 1446, length 1372
14:39:08.418796 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19454, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.419072 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19455, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 8676:10048, ack 1, win 1446, length 1372
14:39:08.419240 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19455, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.420008 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19456, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 10122:11494, ack 1, win 1446, length 1372
14:39:08.420214 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19456, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.420469 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19457, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 11568:12940, ack 1, win 1446, length 1372
14:39:08.425213 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19457, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.425623 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19458, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 13014:14386, ack 1, win 1446, length 1372
14:39:08.426707 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19458, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.431746 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19459, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 14460:15832, ack 1, win 1446, length 1372
14:39:08.432700 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19459, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.432956 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19460, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 15906:17278, ack 1, win 1446, length 1372
14:39:08.442570 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19460, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.445738 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19461, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 17352:18724, ack 1, win 1446, length 1372
14:39:08.452087 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19461, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.452345 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19462, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 18798:20170, ack 1, win 1446, length 1372
14:39:08.452433 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19462, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.452691 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19463, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 20244:21616, ack 1, win 1446, length 1372
14:39:08.452777 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19463, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.454856 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19464, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 21690:23062, ack 1, win 1446, length 1372
14:39:08.460558 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19464, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.460815 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19465, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 23136:24508, ack 1, win 1446, length 1372
14:39:08.460902 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19465, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.461182 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19466, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 24582:25954, ack 1, win 1446, length 1372
14:39:08.461269 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19466, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.465121 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19467, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 26028:27400, ack 1, win 1446, length 1372
14:39:08.471804 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19467, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.472094 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19468, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 27474:28846, ack 1, win 1446, length 1372
14:39:08.472184 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19468, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.475465 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19469, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 28920:30292, ack 1, win 1446, length 1372
14:39:08.481864 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19469, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.485358 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19470, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 30366:31738, ack 1, win 1446, length 1372
14:39:08.490173 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19470, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.492229 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19471, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 31812:33184, ack 1, win 1446, length 1372
14:39:08.502702 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19471, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.502952 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19472, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 33258:34630, ack 1, win 1446, length 1372
14:39:08.503059 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19472, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.503318 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19473, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 34704:36076, ack 1, win 1446, length 1372
14:39:08.503406 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19473, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.503667 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19474, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 36150:37522, ack 1, win 1446, length 1372
14:39:08.503752 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19474, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.507621 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19475, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 37596:38968, ack 1, win 1446, length 1372
14:39:08.515412 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19475, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.515670 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19476, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 39042:40414, ack 1, win 1446, length 1372
14:39:08.515755 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19476, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.517566 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19477, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 40488:41860, ack 1, win 1446, length 1372
14:39:08.522265 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19477, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.524306 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19478, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 41934:43306, ack 1, win 1446, length 1372
14:39:08.531634 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19478, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.537688 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19479, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 43380:44752, ack 1, win 1446, length 1372
14:39:08.547253 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19479, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.547506 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19480, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 44826:46198, ack 1, win 1446, length 1372
14:39:08.547599 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19480, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.547855 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19481, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 46272:47644, ack 1, win 1446, length 1372
14:39:08.547943 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19481, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.548220 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19482, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 47718:49090, ack 1, win 1446, length 1372
14:39:08.548307 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19482, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.549670 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19483, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 49164:50536, ack 1, win 1446, length 1372
14:39:08.556243 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19483, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.556497 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19484, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 50610:51982, ack 1, win 1446, length 1372
14:39:08.556587 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19484, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.556974 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19485, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 52056:53428, ack 1, win 1446, length 1372
14:39:08.557082 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19485, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.562195 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19486, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 53502:54874, ack 1, win 1446, length 1372
14:39:08.566988 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19486, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.575062 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19487, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 54948:56320, ack 1, win 1446, length 1372
14:39:08.575135 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19487, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.576140 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19488, offset 0, flags [none], proto TCP (6), length 1179)
    192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], cksum 0xe85a (correct), seq 56394:57533, ack 1, win 1446, length 1139
14:39:08.576547 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6612, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 705d (->715d)!)
    10.19.1.150.49896 > 192.168.165.77.80: Flags [.], cksum 0x9d90 (correct), seq 1, ack 0, win 65070, length 0
14:39:08.753576 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6615, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 705a (->715a)!)
    10.19.1.150.49896 > 192.168.165.77.80: Flags [R.], cksum 0x9bbb (correct), seq 1, ack 0, win 0, length 0
14:39:08.753829 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6616, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 7059 (->7159)!)
    10.19.1.150.49897 > 192.168.165.77.80: Flags [R.], cksum 0x67ce (correct), seq 3295702231, ack 1106385, win 0, length 0
14:39:08.754041 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6617, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 7058 (->7158)!)
    10.19.1.150.49898 > 192.168.165.77.80: Flags [R.], cksum 0xf8a7 (correct), seq 2938165598, ack 719301, win 0, length 0
14:39:08.757381 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6618, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 704f (->714f)!)
    10.19.1.150.49901 > 192.168.165.77.80: Flags [s], cksum 0xc5f6 (correct), seq 1740833165, win 8192, options [mss 1200,nop,nop,sackOK], length 0
14:39:08.793422 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19489, offset 0, flags [+], proto TCP (6), length 1412)
    192.168.165.77.80 > 10.19.1.150.49898: Flags [P.], seq 1:1373, ack 0, win 1446, length 1372
14:39:08.797895 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19489, offset 1392, flags [none], proto TCP (6), length 94)
    192.168.165.77 > 10.19.1.150: tcp
14:39:08.798073 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19490, offset 0, flags [none], proto TCP (6), length 44)
    192.168.165.77.80 > 10.19.1.150.49901: Flags [S.], cksum 0xd2c5 (correct), seq 2826592, ack 1740833166, win 1446, options [mss 1446], length 0
14:39:08.798411 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6620, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 7055 (->7155)!)
    10.19.1.150.49901 > 192.168.165.77.80: Flags [.], cksum 0xf1eb (correct), seq 1, ack 1, win 65070, length 0
14:39:08.798794 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6621, offset 0, flags [DF], proto TCP (6), length 644, bad cksum 6df8 (->6ef8)!)
    10.19.1.150.49901 > 192.168.165.77.80: Flags [P.], cksum 0x5a60 (correct), seq 1:605, ack 1, win 65070, length 604
14:39:08.831836 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19491, offset 0, flags [none], proto TCP (6), length 40)
    192.168.165.77.80 > 10.19.1.150.49901: Flags [.], cksum 0xe818 (correct), seq 1, ack 605, win 1446, length 0
14:39:08.835273 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19492, offset 0, flags [none], proto TCP (6), length 770)
    192.168.165.77.80 > 10.19.1.150.49901: Flags [P.], cksum 0x072c (correct), seq 1:731, ack 605, win 1446, length 730
14:39:08.837857 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6622, offset 0, flags [DF], proto TCP (6), length 926, bad cksum 6cdd (->6ddd)!)
    10.19.1.150.49901 > 192.168.165.77.80: Flags [P.], cksum 0x2d71 (correct), seq 605:1491, ack 731, win 64340, length 886
14:39:08.838924 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6623, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 704a (->714a)!)
    10.19.1.150.49902 > 192.168.165.77.80: Flags [s], cksum 0xc025 (correct), seq 1289560643, win 8192, options [mss 1200,nop,nop,sackOK], length 0
14:39:08.839899 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6624, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 7049 (->7149)!)
    10.19.1.150.49903 > 192.168.165.77.80: Flags [s], cksum 0x81c1 (correct), seq 3762146629, win 8192, options [mss 1200,nop,nop,sackOK], length 0
14:39:08.868181 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19493, offset 0, flags [none], proto TCP (6), length 40)
    192.168.165.77.80 > 10.19.1.150.49901: Flags [.], cksum 0xe1c8 (correct), seq 731, ack 1491, win 1446, length 0
14:39:08.872257 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19494, offset 0, flags [none], proto TCP (6), length 821)
    192.168.165.77.80 > 10.19.1.150.49901: Flags [P.], cksum 0x3e12 (correct), seq 731:1512, ack 1491, win 1446, length 781
14:39:08.877155 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19495, offset 0, flags [none], proto TCP (6), length 44)
    192.168.165.77.80 > 10.19.1.150.49902: Flags [S.], cksum 0x9167 (correct), seq 4611282, ack 1289560644, win 1446, options [mss 1446], length 0
14:39:08.877452 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6625, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 7050 (->7150)!)
    10.19.1.150.49902 > 192.168.165.77.80: Flags [.], cksum 0xb08d (correct), seq 1, ack 1, win 65070, length 0
14:39:08.877946 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6626, offset 0, flags [DF], proto TCP (6), length 924, bad cksum 6cdb (->6ddb)!)
    10.19.1.150.49902 > 192.168.165.77.80: Flags [P.], cksum 0xf752 (correct), seq 1:885, ack 1, win 65070, length 884
14:39:08.878398 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19496, offset 0, flags [none], proto TCP (6), length 44)
    192.168.165.77.80 > 10.19.1.150.49903: Flags [S.], cksum 0x4dc8 (correct), seq 4219411, ack 3762146630, win 1446, options [mss 1446], length 0

In firewall log as blocked:
[code]  Dec 8 14:40:03 enc0   192.168.165.77    10.19.1.150  TCP: 
  Dec 8 14:40:03 enc0   192.168.165.77:80    10.19.1.150:49902  TCP:PA 
  Dec 8 14:40:03 enc0   192.168.165.77    10.19.1.150  TCP: 
  Dec 8 14:40:03 enc0   192.168.165.77:80    10.19.1.150:49902  TCP:PA 
  Dec 8 14:40:00 enc0   192.168.165.77    10.19.1.150  TCP: 
  Dec 8 14:40:00 enc0   192.168.165.77:80    10.19.1.150:49902  TCP:PA 
  Dec 8 14:40:00 enc0   192.168.165.77    10.19.1.150  TCP: 
  Dec 8 14:40:00 enc0   192.168.165.77:80    10.19.1.150:49902  TCP:PA 
  Dec 8 14:39:57 enc0   192.168.165.77    10.19.1.150  TCP: 
  Dec 8 14:39:57 enc0   192.168.165.77:80    10.19.1.150:49902  TCP:PA [/code] [/s][/s][/s]

ggzengel

Now i got a little bit further.
The areca controller never answer to fragmented pings.

It seems the pfsense discards fragmented packets with psh set:

1249669.492 X DATA[1414]
      0000: 00 00 45 00 05 84 0b d1  20 00 40 06 bd be 0a 13  ..E..... .@.....
      0010: 76 29 0a 13 01 96 00 50  c6 29 00 1a 50 ef 41 9e  v).....P.)..P.A.
      0020: 21 f0 50 18 05 a6                                 !.P...
             IP-Packet from 10.19.118.41 to 10.19.1.150  protocol TCP
             Fragment:  ID 3025  bytes 0 ... 1391
             TCP-Message, sourceport 80 destinationport 50729
                          sequence number 1724655
                          acknowledgement number 1100882416
                          offset 5 flags ACK PSH
                          window 1446 checksum 0x2809 urgent 0

1249669.500 X DATA[0096]
      0000: 00 00 45 00 00 5e 0b d1  00 ae 40 06 e2 36 0a 13  ..E..^....@..6..
      0010: 76 29 0a 13 01 96 69 64  74 68 3d 22 39 38 25 22  v)....idth="98%"
      0020: 3e 0d 0a 3c 74 72                                 >.. <tr<br>IP-Packet from 10.19.118.41 to 10.19.1.150  protocol TCP
             Fragment:  ID 3025  bytes 1392 ... 1465</tr<br>

firewall log:

  Dec 8 18:23:53 enc0   10.19.118.40:80    10.19.1.150:50729  TCP:PA 

eri--

You have to allow fragments in the ipsec rule otherwise pf will drop them.

ggzengel

But fragmented ICMP works?
And how should i allow fragmented packets?

1252982.843 R DATA[1630]
      0000: 01 00 45 00 06 5c 48 5e  00 00 7d 01 65 23 0a 13  ..E..\H^..}.e#..
      0010: 01 96 0a 13 74 64 08 00  08 7c 00 66 3a 6e 61 62  ....td...|.f:nab
      0020: 63 64 65 66 67 68                                 cdefgh
             IP-Packet from 10.19.1.150 to 10.19.116.100  protocol ICMP
             ICMP-Message , type echo request

1252982.851 X DATA[1414]
      0000: 00 00 45 00 05 84 26 06  20 00 40 01 a5 53 0a 13  ..E...&. .@..S..
      0010: 74 64 0a 13 01 96 00 00  10 7c 00 66 3a 6e 61 62  td.......|.f:nab
      0020: 63 64 65 66 67 68                                 cdefgh
             IP-Packet from 10.19.116.100 to 10.19.1.150  protocol ICMP
             Fragment:  ID 9734  bytes 0 ... 1391
             ICMP-Message , type echo reply

1252982.851 X DATA[0238]
      0000: 00 00 45 00 00 ec 26 06  00 ae 40 01 c9 3d 0a 13  ..E...&...@..=..
      0010: 74 64 0a 13 01 96 65 66  67 68 69 6a 6b 6c 6d 6e  td....efghijklmn
      0020: 6f 70 71 72 73 74                                 opqrst
             IP-Packet from 10.19.116.100 to 10.19.1.150  protocol ICMP
             Fragment:  ID 9734  bytes 1392 ... 1607

19:14:29.530989 (authentic,confidential): SPI 0x10907845: (tos 0x0, ttl 126, id 20210, offset 0, flags [none], proto ICMP (1), length 1628, bad cksum 5d0f (->5d8f)!)
    10.19.1.150 > 10.19.116.100: ICMP echo request, id 102, seq 16025, length 1608
19:14:29.599466 (authentic,confidential): SPI 0x07d35b41: (tos 0x0, ttl 63, id 3056, offset 0, flags [+], proto ICMP (1), length 1412)
    10.19.116.100 > 10.19.1.150: ICMP echo reply, id 102, seq 16025, length 1392
19:14:29.599611 (authentic,confidential): SPI 0x07d35b41: (tos 0x0, ttl 63, id 3056, offset 1392, flags [none], proto ICMP (1), length 236)
    10.19.116.100 > 10.19.1.150: icmp

cmb

The MSS clamping is doing exactly what you have it configured to do:

 10.19.1.150.49902 > 192.168.165.77.80: Flags [s], cksum 0xc025 (correct), seq 1289560643, win 8192, options [mss 1200,nop,nop,sackOK]

There isn't any ability to allow/deny fragments on a per-rule basis, not sure what Ermal is referring to. [/s]

valnar

I've had a similar problem in pfSense 1.23 where other VPN devices (Sonicwalls) worked fine.  Through a site VPN to my work, I cannot get to certain internal web pages.  I tried all manners of MSS, MTU and DF bit changes on pfSense to no avail.  All other firewalls I tried worked fine.  In the end, I had to just lower the MTU on my Windows machines in my home to make it work.

'Not sure where the fix could be, but like I said, all other VPN enabled firewalls I've tried (Sonicwall, Cisco, Netscreen) worked fine.

cmb

@valnar:

I've had a similar problem in pfSense 1.23 where other VPN devices (Sonicwalls) worked fine.  Through a site VPN to my work, I cannot get to certain internal web pages.  I tried all manners of MSS, MTU and DF bit changes on pfSense to no avail.  All other firewalls I tried worked fine.  In the end, I had to just lower the MTU on my Windows machines in my home to make it work.

That's why we added MSS clamping for VPNs (which works fine).

ggzengel

Why blocks the pfsense fragmented psh packets?
Or is there an other reason? Small packets with psh will pass.

1249669.492 X DATA[1414]
      0000: 00 00 45 00 05 84 0b d1  20 00 40 06 bd be 0a 13  ..E..... .@.....
      0010: 76 29 0a 13 01 96 00 50  c6 29 00 1a 50 ef 41 9e  v).....P.)..P.A.
      0020: 21 f0 50 18 05 a6                                 !.P...
             IP-Packet from 10.19.118.41 to 10.19.1.150  protocol TCP
             Fragment:  ID 3025  bytes 0 ... 1391
             TCP-Message, sourceport 80 destinationport 50729
                          sequence number 1724655
                          acknowledgement number 1100882416
                          offset 5 flags ACK PSH
                          window 1446 checksum 0x2809 urgent 0

1249669.500 X DATA[0096]
      0000: 00 00 45 00 00 5e 0b d1  00 ae 40 06 e2 36 0a 13  ..E..^....@..6..
      0010: 76 29 0a 13 01 96 69 64  74 68 3d 22 39 38 25 22  v)....idth="98%"
      0020: 3e 0d 0a 3c 74 72                                 >..<tr<br>             IP-Packet from 10.19.118.41 to 10.19.1.150  protocol TCP
             Fragment:  ID 3025  bytes 1392 ... 1465</tr<br>