UDP Payload Size / Allowed Fragmented Packets

  • We are having a problem with the Busy Lamp Fields on our Vonage Business Phone behind a PFSense Firewall.

    Vonage Support has asked to make sure that our PFSense firewall supports the maximum UDP payload size of 65507 bytes and to allow at least 45 fragmented packets per packet.

    Can you help me find these settings on our PFSense Firewall we are running 2.3.4-RELEASE (i386).

    I may have found the UDP "payload" settings under: System –> Advanced --> System Tunables --> net.inet.udp.maxdgram
    I went ahead and changed this value from default 57344 to 65507
    Please let me know if I found the right setting.

    I have not found any settings for the allowed number of fragments.

    Thanks in advance for any and all help!

    Here is the full message I received from Vonage Business Support:

    Check firewall for UDP rules

    The recommended solution is to configure the firewalls and/or NAT routers at customer premises to handle fragmented UDP packets correctly. These firewall and NAT routers must be configured to support the maximum UDP payload size of 65507 bytes and to allow at least 45 fragmented packets per packet. As an example, the Cisco firewalls need to be configured to increase the allowed fragments per packet to 45 from the default 24 (The maximum supported fragments is 8500 in the case of Cisco firewalls).

    This article by broadsoft (the phone system platform) explains the issue;

  • LAYER 8 Netgate

    Maybe: net.inet.ip.maxfragsperpacket ??

    The default appears to be 16.

    I'd be curious what you see if you: sysctl -a | grep mbuf_defrag_fail

    (i386? really?)

  • Thank you for your reply, Derelict.

    I ran the command you suggested:
    sysctl -a | grep mbuf_defrag_fail

    Received this output:
    dev.em.0.mbuf_defrag_fail: 0

    net.inet.ip.maxfragsperpacket is not currently on my list of System Tunables. Will it work if I click on the "New" button and add this?

    Regarding your surprise at i386… is this bad?

    This is the CPU Type:
    Intel(R) Atom(TM) CPU 330 @ 1.60GHz
    4 CPUs: 1 package(s) x 2 core(s) x 2 HTT threads

    Thanks again for your help and interest in my problem.

  • LAYER 8 Netgate

    Yes. you should be able to add that tunable there. Unsure if you will need to reboot.

    The Atom 330 is a 64-bit CPU. You should be running the amd64 version. Reinstall 64-bit and restore the config.


    Instruction Set 64-bit

  • Thanks for the tips, Derelict. I will try this. Reloading with a 64 bit PFSense installation may have to wait for now. Thanks again! :-)

    Actually… if you don't mind, could you point out the benefit of a 64 bit installation? I know with PCs the 64 bit installation allows you to use 4GB of RAM and more. This PFSense only has 2GB or RAM. Let me know if there are benefits to 64 bit PFSense installations beyond memory allocation. Thanks. (I don't doubt your 64 bit recommendation, I'd just like to know more about it.)

  • LAYER 8 Netgate

    i386 is not receiving anywhere close to the testing amd64 is.

    There will not be an i386 version of pfSense from 2.4 (currently in beta) onward.

    There is no reason not to be running the amd64 version on hardware that supports it.

  • Thanks, Derelict. That's good enough of a reason for me.  :)

  • Hi Kevin,

    Sorry to resurect an old post but did the System Tunables resolve your Vonage phone BLF issues? I'm having similar with some Polycom phones on a Gamme PBX system.

    Packet capture shows successful UDP defragmentation on one ofSense box and not on the other!?

    Comments would be appreciated.