Datagram re-assembly fails



  • Good morning

    I have an application that sends out frames of data that seem to be dropped by the firewall.  I know from the developers these UDP packets larger than 1500 bytes are not being re-assembled in my SG-3100 at all.

    I am running 2.4.2 PM1 and I am up to date.

    Under Advanced, I have tested with

    • IP Do-Not-Fragment both on and off.
      Disabled PF scrubbing

    After testing the above, I have killed the states in the machine, but it still fails.

    As a reference, if I use a consumer grade router, the datagrams are re-assembled correctly.

    I hope that makes sense.

    Thanks in advance, Mike



  • Internet or intranet traffic? Could the data be arriving as jumbo frames from an internal source?



  • Internet traffic.

    We have done a lot of testing on this and it seems to be pfSense type routers that fail.  If you swap it out for a DD-WRT or Tomato like router, it is fine.

    Mike



  • Have you tested with "Disable Firewall Scrub" unchecked as it is the default?
    As of now we also have a problem that if we check this to disable scrub fragmented UDP packets will not pass pfSense, at least not on the WAN interface. With the default scrub enabled all is well.



  • Disable Firewall Scrub

    Where is that found?


  • Rebel Alliance Global Moderator

    System / Advanced / Firewall & NAT

    Disable Firewall Scrub
    Disables the PF scrubbing option which can sometimes interfere with NFS traffic.



  • Hello,
    Since this is UDP, it means retransmit is higher level responsibility and NOT ORGANIC TO LEVEL 3 OR 4 OSI.
    sincerely,
    magrw2066