PfSense | ICMP Redirects | TCP Retransmissions, DUP ACK, etc.

  • Hey Guys,

    first Thing: thx for this wonderful piece of Software! Since our old LANCOM Router was a bit overloaded with vpn, tcp states, and anything (CPU Utilization was about 40-50 percent) and we had a few security concerns (Virus Attacks, etc.) i decided to switch to pfSense (ok to be honest i tried O*NSense first, which afterwards seemed to be a buggy fork of pfSense… some services didn't work anymore after a day of tryin out and i don't have the time to debug the thing ;-))

    Currently i'm working with pfBlockerNG, Snort and ntopng which are very great packages and offer 1000x Times more Security and Features than this Lancom Content Filter...
    Ok Snort got a steep learning courve but if you're familiar with networking and protocols you'll find your way.

    But anyway i got a Problem:

    We are a Car Dealer in Germany.
    We've got 2 Routers in our Environment, a Cisco 800 Series (IP and now PFSense (IP proud.
    The Cisco builds up a VPN Connection (2 Mbit/s) to our Manufacturer (To network ~, and is not managed by us.
    I know that 2 Routers in one LAN is not the best setup, but the guys who manage the cisco, don't get it done to change this....
    The WAN Connection of the Cisco goes through our pfSense to a mostly dedicated WAN Connection (5 Mbit/s). pfSense is running virtualized.
    pfSense is the default Gateway, a route exists to to gw

    So here comes the Problem:
    If i setup pfSense as default Gateway a software which is running @ our manufacturers site (it's running locally, but doin GIOP Requests to a Server @ Manufacturers Site), is getting very slow. I sniffed with Wireshark and on some requests you'll see many many TCP Retransmissions, Duplicated Acks, spurious retransmissions, etc. between them ICMP Redirects (this is normal behaviour through the setup...)
    If i setup a static route on the client, no tcp retransmissions occur (or at least not that often).

    The Retransmissions don't occur on every request without the static route but quite too often.

    i can attach 2 Wireshark logs if that'll help.

    What i've done so far:

    • Disabled Hardware Checksum Offloading
    • Disabled Hardware Segmentation Offloading
    • Disabled Hardware large Recieve offloading
    • Disabled/Enabled sending of ICMP Redirects (Problem the same, but no icmp redirects ;-))
    • Disabled TCP Segmentation offloading (do i have to restart after that?!)

    My next Idea was to have a limiter in Bandwith for that traffic, cause the vpn tunnel only takes 2 Mbit/s, and i could imagine if the cisco is getting bombed with tcp packets from the client pc (pfSense does not know that the tunnel is only 2mbit/s...) the syn, ack and what ever packets need to long for the clients to arrive. So how to achive a Traffic limiter in this setup? Just for the Connections to our manufacturer.

    Oh btw. this does not only happen with the requests from the software but also on http traffic.

    Any Ideas on that?

    I Attached an Image with the part of the setup which is interesting (pfSense is doin quite more stuff, we've got 3 WAN Connections and are building a zone Concept for the Client Boxes atm...)

    Thx for the Help :)

    Greetings from Bavaria!

  • Sorry to bring up such an old topic, did you manage to resolve the issue?

Log in to reply