PIA disconnects with frag3 preproc alerting spp_frag3
Hey everyone. I have spent the past week installing, configuring Pfsense 2.4.4. Now, everything seems to be working just absolutely wonderfully except for one thing.
I use 2 different VPN's for different purposes. ExpressVPN and Private Internet Access. I DO NOT try to use both of these services at once or the same time (had to get that out of the way).
ExpressVPN gets connected through pfsense and stays connected and works very well. Private Internet Access gets connected and works very well for about 2 minutes then it gets block by the frag3 preprocessor. I have both applications set identically:
set to UDP / autoport selection and encryption data = AES-256 (GCM) and handshake=RSA-4096 - port forwarding is selected and allow local LAN traffic is set to always.
My question is can I use the suppress list to supress frag3 alerts/blocking for JUST the one IP that leads to the PIA gateway or is the suppression list a global thing? I don't want to turn the frag3 off but I would like to keep using Private Internet Access VPN and am at a loss as how to do that without disabling Frag3 every-time I want to use it and re-enabling it after I am done.
Thanks for any and all comments ahead of time!
If it connects to the same remote IP every time you can just whitelist that and it won't trigger a block on the alert.
Is this Snort or Suricata?
I am unfamiliar with snort as my last firewall would run it but not in blocking mode so I never had a need to learn any of the various bypass methods? I looked for a whitelist but didn't see it? I HAVE used suppress to suppress some http_inspect rules but I thought that was global and not per IP / domain/host name?
Would you please point me in the right direction to add the IP to the whitelist? I don't even see where a whitelist exists?
LOL-I'm SO lost.
This is what shows in the logsd when PIA is being blocked.
(spp_frag3) Fragmentation overlap -- 2019-02-22 12:12:54
Hi again. OK - after a bit of searching I found out, create a firewall alias and add all the VPN IP's to it. Then add the alias as a pass list in snort, then add the pass list to each interface where I want it applied. Is this correct?
It SEEMS to be working so far.
Yes, pretty much that.
Create the alias add the VPN IPs to it as well as the auto generated IPs. Use that as the Home Net in the Snort interface settings.
LOL - Well, I have no clue what I did but after 20 minutes or so my son came downstairs and said he couldn't get connected - even though all indications was he was connected and indeed the LAN all worked fine but he could not get out through the firewall.
After about 30 minutes of troubleshooting he COULD get out and all was well - we assumed we had fixed it.
I went back to my office and discovered that all of my 7 connected devices were now suffering the same thing as my son had just suffered. Rebooting the firewall and the devices changed nothing.
So, I restored a config from before I had created any pass-list and instantly everything started working again.
I still have the frag3 error and am not sure how to proceed considering my experience last night.
Thanks for your patience:-) (hopefully)
Obviously I think I understand something I clearly do not. I have no idea what I did that caused this?
I assume it was still thowing alerts? And still adding IPs to the blocked list? The remote VPN IPs?
If those are part if HomeNet it should not.
If you looks at the alerts list you can suppress the alerts completely or suppress and track by source or destination IP. Depending on if it's alerting on incoming or outgoing traffic you should be able to suppress just alerts for that rule from/to that IP.
@stephenw10 Hey Stephen,
Thank you very much for all your attempts at helping me out. I DO appreciate it.
I resolved the issue by cancelling my subscription to the VPN service with the flaky client - I mean it won't even clean install ffs.
Anyways, I didn't want to leave the thread hanging so thats it - it's done. Problem resolved. I won't disable frag3 for a flaky client that would be ridiculous. The other VPN service I have has a client that works flawlessly and I am tired of banging my head against the wall with level one help-desk agents that have a "upgrade to the latest client" mantra and when that doesn't work wait 3-4 days with nothing on the ticket. PIA is being overwhelmed with customer tickets right now it says so on their ticketing system "unusual wait times" and all that type of language on their site. And this came as a direct result of their latest client release so....they must've pulled a Microsoft and released little better than alpha software as a full version production release. Whatever not my problem anymore.
Thanks once again for your efforts. They are appreciated.