Fragmented IPv4 UDP not NAT'd on WAN



  • Hi,

    Troubleshooting an issue with a VOIP phone behind pfSense and PBX on the internet. I used tcpdump to cature dial out packets on the WAN via pppoe1.

    Wireshark shows the outbound IPv4 fragmented packets contain the source address of the internal LAN (192.168...) and not the public IP address.

    Is this a known issue, and is there a work-around. I have the Disable Firewall Scrub option set to True.

    Regards
    Simon



  • Hi,

    While I have found a work-around in this particular instance - by reducing the header information in the SIP request, anyone sending UDP out on a WAN with a lower MTU than the LAN might run into this issue. This might affect VPN links as well as VOIP. Typically intranet LANs run 1500 byte MTU and VDSL/Fibre can often have a slightly smaller MTU.

    If you do have an issue with WAN outbound UDP, running tcpdump on the WAN leg and loading the file into wireshark to look for the source address being transmitted out of the firewall.
    0_1537861986638_b7c16e8e-6480-442a-a494-9ccc0254be79-image.png
    If you see the LAN source address, then you have the issue.
    There may be a config setting that will change the behaviour, however if this cannot be found,the packets will be dropped by the first internet router that sees them as private non-routable addresses are just that.
    Regards
    Simon


Log in to reply