Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MSS not working for inbound NAT traffic since pfSense 2.7.x

    General pfSense Questions
    1
    1
    90
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shodan
      last edited by shodan

      Hi all, since pfSense 2.7.x I have issues with MSS not being honored for inbound NAT traffic.

      Interfaces are defined as the following:
      vtnet0 LAN
      vtnet1 DMZ
      vtnet2 WAN

      Setting vtnet2 (WAN) MSS to 1420 correctly creates a pf rule as the following:
      scrub on vtnet2 inet all max-mss 1380 fragment reassemble

      Traffic coming from LAN/DMZ to WAN has MSS correctly clamped to 1380. However, traffic incoming from WAN to DMZ shows an unchanged MSS being negotiated between the external and the internal machines. Please note that I traced packets not only on the receiving machine, but on WAN and DMZ interfaces also.

      tcpdump output is something similar to that:

      • incoming packet on vtnet2: MSS set to 1460 (right: this is the packet as coming in, before clamping);
      • incoming packet on vtnet1: MSS set to 1460 (wrong: the packet should have been scrubbed);
      • incoming packet on DMZ machine: MSS set to 1460 (wrong: see above)

      To work around the issue, I had to set MSS on DMZ interface also, with a corresponding pf rules:
      scrub on vtnet1 inet all max-mss 1380 fragment reassemble

      Doing that I can see packets on vtnet1 and on the receiving machine being clamped to a lower 1380 MSS. While I worked around the issue it seems wrong to specify MSS on DMZ interface, because:

      • the scrub rule on vtnet2 (WAN) should match all traffic (both incoming and outgoing);
      • the lower-than-default MSS depends on the WAN link itself;
      • the scrub rule on vtnet1 (DMZ) unnecessarily impacts traffic flowing between LAN and DMZ;
      • in previous pfSense versions, I had no such issue.

      Anyone with the same problem? Am I missing something?
      Thanks.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.