Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fragmented IPv4 UDP not NAT'd on WAN

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 357 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      simon_hp
      last edited by

      Hi,

      Troubleshooting an issue with a VOIP phone behind pfSense and PBX on the internet. I used tcpdump to cature dial out packets on the WAN via pppoe1.

      Wireshark shows the outbound IPv4 fragmented packets contain the source address of the internal LAN (192.168...) and not the public IP address.

      Is this a known issue, and is there a work-around. I have the Disable Firewall Scrub option set to True.

      Regards
      Simon

      1 Reply Last reply Reply Quote 0
      • S
        simon_hp
        last edited by

        Hi,

        While I have found a work-around in this particular instance - by reducing the header information in the SIP request, anyone sending UDP out on a WAN with a lower MTU than the LAN might run into this issue. This might affect VPN links as well as VOIP. Typically intranet LANs run 1500 byte MTU and VDSL/Fibre can often have a slightly smaller MTU.

        If you do have an issue with WAN outbound UDP, running tcpdump on the WAN leg and loading the file into wireshark to look for the source address being transmitted out of the firewall.
        0_1537861986638_b7c16e8e-6480-442a-a494-9ccc0254be79-image.png
        If you see the LAN source address, then you have the issue.
        There may be a config setting that will change the behaviour, however if this cannot be found,the packets will be dropped by the first internet router that sees them as private non-routable addresses are just that.
        Regards
        Simon

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.