PfSense and TTL=1



  • The problem: many ISPs modify the TTL (time to live) value of all incoming packets to 1, so when they enter the router, it decrements the TTL to 0 and being zero, the packet gets dropped (and doesn't reach any of the computers in the local network). When set ipstealth sysctl net.inet.ip.stealth=1 it working ok,but for example if we have some wireless ap in our home network,laptops connected to AP don't have inetrnet.
    I read obout scrub min-ttl in http://forum.pfsense.org/index.php/topic,4712.0.html but in v2 there notging about $rules .= "scrub all :

    
     less /etc/inc/filter.inc | grep scrub
    	$rules .= filter_generate_scrubing();
    function filter_generate_scrubing() {
    	$scrubrules = "";
    	/* disable scrub option */
    	foreach ($FilterIflist as $scrubif => $scrubcfg) {
    		if(isset($scrubcfg['virtual']))
    		if($scrubcfg['mtu'] <> "" && is_numeric($scrubcfg['mtu']) && $scrubcfg['if'] != "pppoe" && $scrubcfg['if'] != "pptp")
    			$mssclamp = "max-mss " . (intval($scrubcfg['mtu'] - 40));
    		if($config['system']['scrubnodf'])
    			$scrubnodf = "no-df";
    			$scrubnodf = "";
    		if($config['system']['scrubrnid'])
    			$scrubrnid = "random-id";
    			$scrubrnid = "";
    		if(!isset($config['system']['disablescrub']))
    			$scrubrules .= "scrub in on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions
    			$scrubrules .= "scrub in on \${$scrubcfg['descr']} {$mssclamp}\n";
    	return $scrubrules;
    # 
    
    


  • well that was a hack 4 yrs ago based on the software then.  look at the filter code you found and try inserting the equivalent change somewhere?



  • @danswartz:

    well that was a hack 4 yrs ago based on the software then.  look at the filter code you found and try inserting the equivalent change somewhere?

    It would be fine in  menu Firewall Rules, submenu Advanced features  to exist menu options like min-ttl/max-ttl value changes.



  • i don't understand what you are saying.  are you saying you can put such tweaks there or you think that should be enhanced by the devs to allow that?  or something else?



  • @danswartz:

    i don't understand what you are saying.  are you saying you can put such tweaks there or you think that should be enhanced by the devs to allow that?  or something else?

    I say that devs can add this nice feature as min-ttl/max-ttl changeable options in Firewall rules,submenu Advanced features.
    Sorry if my eng. is not too good.



  • If you need Packet Mangle TTL  in pfsense v2,change the following line in /etc/inc/filter.inc:

    look about line 413/442 and replace:

    
    $scrubrules .= "scrub in on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions
    
    

    with

    
    $scrubrules .= "scrub in on \${$scrubcfg['descr']} all min-ttl 255 {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions
    
    

    Default output is :

    
    pfctl -sr
    scrub in on rl0 all fragment reassemble
    scrub in on fxp0 all fragment reassemble
    
    

    and with modifed value:

    
    pfctl -sr
    scrub in on rl0 all min-ttl 255 fragment reassemble
    scrub in on fxp0 all min-ttl 255 fragment reassemble
    
    


  • It did work for me! Thanks a lot mate !
      8)


Log in to reply