Allow Fragments in Rules

  • Can anyone shed light on how to allow fragments in Rules. I do not see any simple method of doing this.


  • I think that's not easy to do since pfSense has this in the rules by default:

    scrub in on $WAN all    fragment reassemble
    scrub in on $LAN all    fragment reassemble

    That means anything the filter rules see is already unfragmented. Quote from pf.conf manual page:

     fragment reassemble
               Using scrub rules, fragments can be reassembled by normalization.
               In this case, fragments are buffered until they form a complete
               packet, and only the completed packet is passed on to the filter.
               The advantage is that filter rules have to deal only with complete
               packets, and can ignore fragments.  The drawback of caching 
               fragments is the additional memory cost.  But the full reassembly
               method is the only method that currently works with NAT.  This is
               the default behavior of a scrub rule if no fragmentation modifier
               is supplied.

  • Thanks for the Reply. I have been having a difficult time with setting up a VPN with a partner organization that uses CISCO equipment. When I asked for assistance earlier this year in the forum the answer I recieved was that the packet was being blocked by the default rule because it was fragmented and required changes to the rules to allow fragments. see,24743.msg128207.html#msg128207

    If packets must be reassembled prior to reaching the filter then the answer I received is not correct. Does anyone know how to allow fragmented packets in a IPSEC tunnel with PFSENSE?


  • Rebel Alliance Developer Netgate

    FYI- You can disable those scrub rules under System > Advanced.

  • I forgot that option, it seems that it should do what is required for allowing fragments. However, can you use NAT in combination with it? The pf.conf manual page suggests that you can't.

  • Thanks everyone for your help. I believe we have been able to resolve the issue by going to - System - Advanced - Miscellaneous and turning on MSS Clamping for the IPSEC tunnel. Our packet captures indicated a problem with the PMTUD. I left it at the MSS default of 1400 and this is working. When we went through the difference with other tunnels that worked (CISCO to CISCO), they were all using GRE over IPSEC. We were not able to assign a GRE tunnel to IPSEC in PFSENSE, and since GRE can have the mtu set the PMTUD using a Pure iPSEC tunnel relied on ICMP type 3, subtype 4 passing from source to destination in order to get through PFSENSE filtering rules properly on the IPSEC interface. The clear df-bit did not help in our case.


  • Rebel Alliance Developer Netgate

    To use GRE over IPsec, you need to put IPsec into transport mode – not tunnel mode. It should be possible in the 2.0 GUI (though I haven't tried it yet)

Log in to reply