[SOLVED] NAT not working on fragmented packets?

grl

Hi!
I discovered that communication with IP-Packets over a certain size would not work.
I have a pf-sense box opening a tunnel and traffic over that tunnel would stop if the packet size was over a certain size. As the tunnel has an MTU<1500 that happens quite frequently.

To narrow down the problem i made a test-setup:

192.168.12.0/24 - [pf-sense-box] - 10.11.38.0/24 - [another router] - internet

In the 10.11.38.0/24 subnet I added a box running tcpdump to see whats going on after the pf-sense-box.

There I discovered that for fragmented packets no NAT is done.

A tcpdump for a```
ping -s 1000 8.8.8.8

22:20:50.570676 IP 10.11.38.253 > 8.8.8.8: ICMP echo request, id 58688, seq 1, length 1008
22:20:50.622136 IP 8.8.8.8 > 10.11.38.253: ICMP echo reply, id 58688, seq 1, length 1008

and for```
ping -s 1500 8.8.8.8
```I get:

22:20:47.426244 IP 192.168.12.101 > 8.8.8.8: ICMP echo request, id 19580, seq 4, length 1480
22:20:47.426257 IP 192.168.12.101 > 8.8.8.8: ip-proto-1

So why is there no NAT in the second case? Anyone a hint?
And how to get that working?

Thanks
Lukas

johnpoz

"opening a tunnel and traffic over that tunnel"

What kind of tunnel?  Ipsec, openvpn?

What is the rules you have set to send traffic down the tunnel.  Have you changed the automatic outbound nat rules?  My guess is yes if you setup a tunnel.

grl

@johnpoz:

"opening a tunnel and traffic over that tunnel"

What kind of tunnel?  Ipsec, openvpn?

The original setup is PPPoE but for the test-setup above I removed it. So for 192.168.12.0/24 - [pf-sense-box] - 10.11.38.0/24 its just plain ethernet, MTU 1500 (no MTU set at all, so defaults to 1500.

@johnpoz:

What is the rules you have set to send traffic down the tunnel.  Have you changed the automatic outbound nat rules?  My guess is yes if you setup a tunnel.

Fot the test I tried it with "Hybrid Outbound NAT" - so using a automatic rule, and with setting a manual Outbound NAT with Protocol any, Source 192.168.12.0/24, Destination any, Address Interface Address.

regards
Lukas

johnpoz

My pfsense setup is a bit of a mess currently, so I can not easy test this.. But if I find time today I will fire up a VM pfsense and try and duplicate issue your seeing.

edit:  Did I miss a post?  Why do you have it marked [solved] if your still seeing this issue.  If solved what was the solution to why you were seeing this?

grl

Found the problem - shame on me, my own fault.

After setting up a second box from scratch and comparing the settings I found that the "Disables the PF scrubbing option" in System / Advanced / Firewall & NAT was set.

I don't know why it was set - but as only I had my fingers on that box it must have been me…

Thanks,

Lukas

[EDIT: Thanks johnpoz, just found the solution the same time you posted your offer to test it.]

johnpoz

Ah.. thanks for the update.. Off the top of my head, not sure why it would do that though.. hmmmm.

If had to guess related somehow to this
https://redmine.pfsense.org/issues/4723