Normalizing TTL across all packets leaving WAN interface

ajathom · Dec 14, 2017, 11:36 PM

I have pfsense 2.4 and I want to normalize all of the packets that are leaving the WAN interface of my router. My ISP doesn't like routers and blocks data whose ttl is not "stock".

I did some experimentation and found that if I increment the TTL they can't tell that I'm behind a router and let the traffic through.

I found a very old post that had a way to do this: https://forum.pfsense.org/index.php?topic=4712.0

But my filters.inc doesn't have that line and I don't understand what that file does well enough to make the changes.

Is normalizing the ttl for all traffic leaving an interface something that can stil lbe accomplished?

johnpoz · Dec 20, 2017, 10:01 AM

Well filters.inc has been rewritten a bit since that post back in 2007 ;)

But its still there really its just under the scrub function..


function filter_generate_scrubing() {
 <snipped>if (!isset($config['system']['disablescrub'])) {
                        $scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions</snipped>

So you should be able to edit that per those threads instructions to do what your asking.

ajathom · Dec 24, 2017, 12:46 AM

Thanks johnpoz, that worked perfectly!

$scrubrules .= "scrub on \${$scrubcfg['descr']} all min-ttl 128 {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all
 directions

johnpoz · Dec 24, 2017, 9:27 AM

Great - glad it worked out for you… Shitty Ass ISPs So they want your devices directly attached? And you can have only 1?

You could write a patch to make this edit for you, since every time you update and that file gets updated your change will be lost..