Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] NAT not working on fragmented packets?

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 567 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      grl
      last edited by

      Hi!
      I discovered that communication with IP-Packets over a certain size would not work.
      I have a pf-sense box opening a tunnel and traffic over that tunnel would stop if the packet size was over a certain size. As the tunnel has an MTU<1500 that happens quite frequently.

      To narrow down the problem i made a test-setup:

      192.168.12.0/24 - [pf-sense-box] - 10.11.38.0/24 - [another router] - internet
      

      In the 10.11.38.0/24 subnet I added a box running tcpdump to see whats going on after the pf-sense-box.

      There I discovered that for fragmented packets no NAT is done.

      A tcpdump for a```
      ping -s 1000 8.8.8.8

      22:20:50.570676 IP 10.11.38.253 > 8.8.8.8: ICMP echo request, id 58688, seq 1, length 1008
      22:20:50.622136 IP 8.8.8.8 > 10.11.38.253: ICMP echo reply, id 58688, seq 1, length 1008

      
      and for```
      ping -s 1500 8.8.8.8
      ```I get:
      

      22:20:47.426244 IP 192.168.12.101 > 8.8.8.8: ICMP echo request, id 19580, seq 4, length 1480
      22:20:47.426257 IP 192.168.12.101 > 8.8.8.8: ip-proto-1

      
      So why is there no NAT in the second case? Anyone a hint?
      And how to get that working?
      
      Thanks
      Lukas
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "opening a tunnel and traffic over that tunnel"

        What kind of tunnel?  Ipsec, openvpn?

        What is the rules you have set to send traffic down the tunnel.  Have you changed the automatic outbound nat rules?  My guess is yes if you setup a tunnel.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • G
          grl
          last edited by

          @johnpoz:

          "opening a tunnel and traffic over that tunnel"

          What kind of tunnel?  Ipsec, openvpn?

          The original setup is PPPoE but for the test-setup above I removed it. So for 192.168.12.0/24 - [pf-sense-box] - 10.11.38.0/24 its just plain ethernet, MTU 1500 (no MTU set at all, so defaults to 1500.

          @johnpoz:

          What is the rules you have set to send traffic down the tunnel.  Have you changed the automatic outbound nat rules?  My guess is yes if you setup a tunnel.

          Fot the test I tried it with "Hybrid Outbound NAT" - so using a automatic rule, and with setting a manual Outbound NAT with Protocol any, Source 192.168.12.0/24, Destination any, Address Interface Address.

          regards
          Lukas

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            My pfsense setup is a bit of a mess currently, so I can not easy test this.. But if I find time today I will fire up a VM pfsense and try and duplicate issue your seeing.

            edit:  Did I miss a post?  Why do you have it marked [solved] if your still seeing this issue.  If solved what was the solution to why you were seeing this?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • G
              grl
              last edited by

              Found the problem - shame on me, my own fault.

              After setting up a second box from scratch and comparing the settings I found that the "Disables the PF scrubbing option" in System / Advanced / Firewall & NAT was set.

              I don't know why it was set - but as only I had my fingers on that box it must have been me…

              Thanks,

              Lukas

              [EDIT: Thanks johnpoz, just found the solution the same time you posted your offer to test it.]

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Ah.. thanks for the update.. Off the top of my head, not sure why it would do that though.. hmmmm.

                If had to guess related somehow to this
                https://redmine.pfsense.org/issues/4723

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.