Allow Fragments in Rules

biobob · Sep 27, 2010, 4:12 PM

Can anyone shed light on how to allow fragments in Rules. I do not see any simple method of doing this.

thanks
Biobob

kpa · Sep 27, 2010, 4:37 PM

I think that's not easy to do since pfSense has this in the rules by default:


scrub in on $WAN all    fragment reassemble
scrub in on $LAN all    fragment reassemble

That means anything the filter rules see is already unfragmented. Quote from pf.conf manual page:


 fragment reassemble
           Using scrub rules, fragments can be reassembled by normalization.
           In this case, fragments are buffered until they form a complete
           packet, and only the completed packet is passed on to the filter.
           The advantage is that filter rules have to deal only with complete
           packets, and can ignore fragments.  The drawback of caching 
           fragments is the additional memory cost.  But the full reassembly
           method is the only method that currently works with NAT.  This is
           the default behavior of a scrub rule if no fragmentation modifier
           is supplied.

biobob · Sep 27, 2010, 5:07 PM

Thanks for the Reply. I have been having a difficult time with setting up a VPN with a partner organization that uses CISCO equipment. When I asked for assistance earlier this year in the forum the answer I recieved was that the packet was being blocked by the default rule because it was fragmented and required changes to the rules to allow fragments. see http://forum.pfsense.org/index.php/topic,24743.msg128207.html#msg128207

If packets must be reassembled prior to reaching the filter then the answer I received is not correct. Does anyone know how to allow fragmented packets in a IPSEC tunnel with PFSENSE?

Biobob

jimp · Sep 28, 2010, 1:38 PM

FYI- You can disable those scrub rules under System > Advanced.

kpa · Sep 28, 2010, 2:57 PM

I forgot that option, it seems that it should do what is required for allowing fragments. However, can you use NAT in combination with it? The pf.conf manual page suggests that you can't.

biobob · Sep 29, 2010, 11:26 AM

Thanks everyone for your help. I believe we have been able to resolve the issue by going to - System - Advanced - Miscellaneous and turning on MSS Clamping for the IPSEC tunnel. Our packet captures indicated a problem with the PMTUD. I left it at the MSS default of 1400 and this is working. When we went through the difference with other tunnels that worked (CISCO to CISCO), they were all using GRE over IPSEC. We were not able to assign a GRE tunnel to IPSEC in PFSENSE, and since GRE can have the mtu set the PMTUD using a Pure iPSEC tunnel relied on ICMP type 3, subtype 4 passing from source to destination in order to get through PFSENSE filtering rules properly on the IPSEC interface. The clear df-bit did not help in our case.

Biobob

jimp · Sep 29, 2010, 12:33 PM

To use GRE over IPsec, you need to put IPsec into transport mode – not tunnel mode. It should be possible in the 2.0 GUI (though I haven't tried it yet)