Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Packets blocked with "IPx bad-hlen x"

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    2 Posts 1 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ForstF
      Forst
      last edited by

      Good time of the day!

      Noticed there is a problem with my Internet connection. Some websites won't open, some take an unusually long time to load. It turns out, the firewall sees lots of bad packets, blocking many of them:

      Apr 6 13:19:44	pf: 00:00:00.468621 rule 3..16777216/0(match): block in on pppoe0: IP13 bad-hlen 0
Apr 6 13:19:44	pf: 00:00:00.000003 rule 5..16777216/0(match): block in on vmx1: truncated-ip6 - 65025 bytes missing!(class 0x08, flowlabel 0x311ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
Apr 6 13:19:44	pf: 00:00:00.000005 rule 5..16777216/0(match): block in on bridge0: truncated-ip6 - 65025 bytes missing!(class 0x08, flowlabel 0x311ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
Apr 6 13:19:44	pf: 00:00:00.441686 rule 5..16777216/0(match): block in on vmx1: truncated-ip6 - 65025 bytes missing!(class 0x08, flowlabel 0x311ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
Apr 6 13:19:43	pf: 00:00:02.866999 rule 3..16777216/0(match): block in on pppoe0: IP6 , wrong link-layer encapsulationbad-hlen 16
Apr 6 13:19:40	pf: 00:00:00.000003 rule 5..16777216/0(match): block in on vmx1: truncated-ip6 - 64537 bytes missing!(class 0x26, flowlabel 0xb11ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
Apr 6 13:19:40	pf: 00:00:00.000007 rule 5..16777216/0(match): block in on bridge0: truncated-ip6 - 64537 bytes missing!(class 0x26, flowlabel 0xb11ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
Apr 6 13:19:40	pf: 00:00:02.231246 rule 5..16777216/0(match): block in on vmx1: truncated-ip6 - 64537 bytes missing!(class 0x26, flowlabel 0xb11ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
Apr 6 13:19:38	pf: 00:00:00.305554 rule 3..16777216/0(match): block in on pppoe0: IP12 bad-len 0
--- snip ---
Apr 6 13:15:58	pf: 00:00:00.224242 rule 3..16777216/0(match): block in on pppoe0: IP11 bad-hlen 12
Apr 6 13:15:58	pf: 00:00:01.754476 rule 3..16777216/0(match): block in on pppoe0: IP2 bad-hlen 12
Apr 6 13:15:56	pf: 00:00:00.178536 rule 3..16777216/0(match): block in on pppoe0: IP0 bad-hlen 0
Apr 6 13:15:56	pf: 00:00:01.037411 rule 102..16777216/0(match): pass out on pppoe0: IP0 bad-hlen 0
Apr 6 13:15:55	pf: 00:00:02.782820 rule 102..16777216/0(match): pass out on pppoe0: IP6 , wrong link-layer encapsulationbad-hlen 8
Apr 6 13:15:52	pf: 00:00:00.037165 rule 3..16777216/0(match): block in on pppoe0: IP0 bad-hlen 0
Apr 6 13:15:52	pf: 00:00:00.057242 rule 3..16777216/0(match): block in on pppoe0: IP11 bad-hlen 8
Apr 6 13:15:52	pf: 00:00:01.900704 rule 102..16777216/0(match): pass out on pppoe0: IP5 bad-len 0
Apr 6 13:15:50	pf: 00:00:01.213334 rule 3..16777216/0(match): block in on pppoe0: IP0 bad-hlen 0
Apr 6 13:15:49	pf: 128.63.2.53 > 8.0.122.9: ip-proto-141
Apr 6 13:15:49	pf: 00:00:00.912062 rule 102..16777216/0(match): pass out on pppoe0: IP5 truncated-ip - 16348 bytes missing! (tos 0xd7,CE, ttl 213, id 16129, offset 19080, flags [+, DF, rsvd], proto unknown (141), length 16384, options (unknown 187 [bad length 85]))
Apr 6 13:15:48	pf: 00:00:04.768635 rule 3..16777216/0(match): block in on pppoe0: IP3 bad-len 0
Apr 6 13:15:44	pf: 173.194.44.46 > 67.66.1.187: ip-proto-141
Apr 6 13:15:44	pf: 00:00:00.057635 rule 102..16777216/0(match): pass out on pppoe0: IP10 truncated-ip - 16324 bytes missing! (tos 0x9c, ttl 213, id 16134, offset 22424, flags [DF], proto unknown (141), length 16384, options (unknown 33 [bad length 19]), bad cksum 9aaa (->f5e)!)
Apr 6 13:15:43	pf: 00:00:02.272259 rule 102..16777216/0(match): pass out on pppoe0: IP1 bad-len 0
Apr 6 13:15:41	pf: 195.140.195.61 > 8.0.217.19: ip-proto-141
Apr 6 13:15:41	pf: 00:00:02.960174 rule 102..16777216/0(match): pass out on pppoe0: IP5 truncated-ip - 16348 bytes missing! (tos 0xb6,ECT(0), ttl 213, id 16129, offset 16608, flags [+, DF, rsvd], proto unknown (141), length 16384, options (unknown 134 [bad length 173]))
Apr 6 13:15:38	pf: 199.7.91.13 > 8.0.111.87: ip-proto-141
Apr 6 13:15:38	pf: 00:00:04.046507 rule 102..16777216/0(match): pass out on pppoe0: IP5 truncated-ip - 16348 bytes missing! (tos 0x8e,ECT(0), ttl 213, id 16129, offset 28624, flags [DF], proto unknown (141), length 16384, options (unknown 85 [bad length 147]))
Apr 6 13:15:34	pf: 00:00:01.469478 rule 3..16777216/0(match): block in on pppoe0: IP11 bad-hlen 0
Apr 6 13:15:33	pf: 00:00:00.681547 rule 3..16777216/0(match): block in on pppoe0: IP0 bad-hlen 0

      Tried googling the same kind of problem, the only advice I found is to disable TSO. Disabling TSO and even LRO didn't help, the problem persists.
      pfSense is running on ESXi 5.5U1, using VMXNET3 for NICs.
      Thanks in advance for any help!

      2.2-ALPHA (amd64)
      built on Thu Apr 3 01:45:59 CDT 2014

      1 Reply Last reply Reply Quote 0
      • ForstF
        Forst
        last edited by

        It seems that the issue is not with the driver, since same errors appear when using an emulated E1000 NIC.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.