How to set TTL?
-
I need to set same TTL for all outbound packets of my LAN.
I could not find where exactly this setting is in pfSense webGUI?
It can be easily done in OpenWrt or RouterOS, but how to do it in pfSense?
Please, help.
-
Maybe I wasn't clear enough.
Here is what I need: if one of my LAN devices sends IP packets with, say, TTL=63, and another one with TTL=128, then when going through pfSense to WAN they all must have TTL=X (where "X" is whatever value I would set in pfSense).
How do I set this up in pfSense? Do I need to create some filtering rule or... ?
-
TTL is determined by the originating OS and only decremented by routers. I'd suspect changing TTL or hop limit on IPv6 might be a security risk. On IPv6, a hop limit of 255 is used to ensure a packet did not originate off the local LAN. Also, if routers could set TTL, then it would be possible to create a loop that defeats the TTL and results in packets travelling in that loop forever.
-
Altering the TTL is a great way to cause routing loops.
pf does not have a way to set the TTL on packets.
-
@jimp said in How to set TTL?:
Altering the TTL is a great way to cause routing loops.
This is also a common way to hide the phone/modem tethering from the wireless carrier. I guess that is what is driving the OP.
-
@andrewz said in How to set TTL?:
This is also a common way to hide the phone/modem tethering from the wireless carrier. I guess that is what is driving the OP.
Do they still do that?
-
@jknott
yup, common techniques to prevent ToS violations are TTL checking and IMEI lookup. Some carriers are also implementing some sort of behavioral analysis, i.e. Android phone should not be talking with Windows Update web site. -
With pf scrub you can have a "minimum TTL" and all packets can be rewritten to make sure they meet this minimum TTL.
Maybe not quite what you're after? Certainly there's no GUI for this, you'd be out on your own.
-
@muppet said in How to set TTL?:
With pf scrub you can have a "minimum TTL" and all packets can be rewritten to make sure they meet this minimum TTL.
Maybe not quite what you're after? Certainly there's no GUI for this, you'd be out on your own.
As far as I understood,
scrub min-ttlenforces a minimum TTL. I.e. if I would set TTL on pfSense to be, say, 64 and some of my LAN devices would send packets with TTL=128, then pfSense won't change this one down to 64? Right?In this case my only option to have same TTL with "pf scrub" is to set it to maximum value of 255? (Side question: are there any downsides of having TTL=255?)
Also, shouldn't there be possible some workaround to avoid looping? Like router somehow recognizing and ignoring packets if they are in a loop?
Also, maybe for FreeBSD there is something like "iptables mangle" for Linux?
-
@mascot said in How to set TTL?:
In this case my only option to have same TTL with "pf scrub" is to set it to maximum value of 255? (Side question: are there any downsides of having TTL=255?)
Also, shouldn't there be possible some workaround to avoid looping? Like router somehow recognizing and ignoring packets if they are in a loop?
Also, maybe for FreeBSD there is something like "iptables mangle" for Linux?Well, as I mentioned, on IPv6 255 indicates a packet that's intended for the local LAN only. Will a router pass it? Also, recognizing packets it's seen before, that would require saving the packets it already sent and then comparing them with any new packets. That might keep a router a bit busy. Also, if a router sees a packet with 255, the assumption can only be that the previous router decremented from 0 and sent it on, violating the rule that says packets with or decremented to 0 must be discarded. You're trying to defeat the entire purpose of MTU, which is to prevent a packet from being sent forever around a loop.
-
G Gertjan referenced this topic
