Fragmented IPv4 UDP not NAT'd on WAN

NAT
Log in to reply
  • S

    Hi,

    Troubleshooting an issue with a VOIP phone behind pfSense and PBX on the internet. I used tcpdump to cature dial out packets on the WAN via pppoe1.

    Wireshark shows the outbound IPv4 fragmented packets contain the source address of the internal LAN (192.168...) and not the public IP address.

    Is this a known issue, and is there a work-around. I have the Disable Firewall Scrub option set to True.

    Regards
    Simon

    0
  • S

    Hi,

    While I have found a work-around in this particular instance - by reducing the header information in the SIP request, anyone sending UDP out on a WAN with a lower MTU than the LAN might run into this issue. This might affect VPN links as well as VOIP. Typically intranet LANs run 1500 byte MTU and VDSL/Fibre can often have a slightly smaller MTU.

    If you do have an issue with WAN outbound UDP, running tcpdump on the WAN leg and loading the file into wireshark to look for the source address being transmitted out of the firewall.
    0_1537861986638_b7c16e8e-6480-442a-a494-9ccc0254be79-image.png
    If you see the LAN source address, then you have the issue.
    There may be a config setting that will change the behaviour, however if this cannot be found,the packets will be dropped by the first internet router that sees them as private non-routable addresses are just that.
    Regards
    Simon

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy