Enable MSS clamping on VPN traffic doesn't work
-
I have multiple areca controllers behind ipsec tunnels and their web page doesn't load properly.
Befor with bintec router to bintec router it worked.With pfsense if I ping -l 1391 it doesn't work. If I ping -l 1390 it works.
Enabling "Enable MSS clamping on VPN traffic" with value 1200 doesn't clear the problem.
I toggled "Clear invalid DF bits instead of dropping the packet".
Disabled "Insert a stronger id into IP header of packets passing through the filter."
No change. -
Run:
grep scrub /tmp/rules.debugand:
grep vpn /tmp/rules.debugand post the output.
and get a packet capture of the traffic
-
scrub in from any to <vpns>max-mss 1200
scrub in on $CABLE all random-id fragment reassemble
scrub in on $LAN all random-id fragment reassembletable <vpns>{ 10.19.8.0/22 192.168.18.0/23 192.168.165.0/24 10.19.12.0/22 192.168.192.0/24 192.168.1.0/24 172.19.16.0/22 10.19.28.0/22 192.168.33.0/24 192.168.254.0/24 192.168.251.0/24 10.19.116.0/22 10.0.0.0/28 192.168.29.0/24 10.19.120.0/22 10.19.112.0/23 }
I only can capture LAN or CABLE. Not IPSEC.
On LAN:
16:12:45.216723 IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 53555, length 1399
16:12:47.103431 IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 53563, length 1399
16:12:49.100064 IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 53573, length 1399
16:12:51.112434 IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 53581, length 1399In firewalllog I get
Dec 7 16:14:19 enc0 192.168.165.77 10.19.1.150 ICMP
Dec 7 16:14:19 enc0 192.168.165.77 10.19.1.150 ICMPNow I patched the Packet Capture form and added interface enc0:
16:24:12.545890 (authentic,confidential): SPI 0x73a9f4f1: IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 57021, length 1399
16:24:12.573942 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 57021, length 1392
16:24:12.576987 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: icmp
16:24:14.208635 (authentic,confidential): SPI 0x73a9f4f1: IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 57028, length 1399
16:24:14.239749 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 57028, length 1392
16:24:14.242213 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: icmp
16:24:16.206258 (authentic,confidential): SPI 0x73a9f4f1: IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 57039, length 1399
16:24:16.236389 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 57039, length 1392
16:24:16.239451 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: icmp
16:24:18.203888 (authentic,confidential): SPI 0x73a9f4f1: IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 57050, length 1399
16:24:18.234164 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 57050, length 1392
16:24:18.237581 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: icmp
16:24:20.201519 (authentic,confidential): SPI 0x73a9f4f1: IP 10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 57061, length 1399
16:24:20.231906 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 57061, length 1392
16:24:20.236719 (authentic,confidential): SPI 0x0594434b: IP 192.168.165.77 > 10.19.1.150: icmpFeature request: Put enc0 to the packet capture interface.</vpns></vpns>
-
Now again with more details:
I think the bad checksum is a interpreter failure, because the ping in the second part is working. Windows should ignore wrong packet.
Can somebody verify this?Not working:
16:31:16.037859 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17458, offset 0, flags [none], proto ICMP (1), length 1419, bad cksum 80a1 (->81a1)!)
10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 58999, length 1399
16:31:16.067375 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18113, offset 0, flags [+], proto ICMP (1), length 1412)
192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 58999, length 1392
16:31:16.074431 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18113, offset 1392, flags [none], proto ICMP (1), length 27)
192.168.165.77 > 10.19.1.150: icmp
16:31:17.784822 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17473, offset 0, flags [none], proto ICMP (1), length 1419, bad cksum 8092 (->8192)!)
10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59008, length 1399
16:31:17.818824 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18114, offset 0, flags [+], proto ICMP (1), length 1412)
192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59008, length 1392
16:31:17.822738 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18114, offset 1392, flags [none], proto ICMP (1), length 27)
192.168.165.77 > 10.19.1.150: icmp
16:31:19.782495 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17488, offset 0, flags [none], proto ICMP (1), length 1419, bad cksum 8083 (->8183)!)
10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59018, length 1399
16:31:19.811340 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18115, offset 0, flags [+], proto ICMP (1), length 1412)
192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59018, length 1392
16:31:19.816631 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18115, offset 1392, flags [none], proto ICMP (1), length 27)
192.168.165.77 > 10.19.1.150: icmpWorking:
16:31:28.509078 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17538, offset 0, flags [none], proto ICMP (1), length 1418, bad cksum 8052 (->8152)!)
10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59061, length 1398
16:31:28.538236 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18116, offset 0, flags [none], proto ICMP (1), length 1418)
192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59061, length 1398
16:31:29.521018 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17551, offset 0, flags [none], proto ICMP (1), length 1418, bad cksum 8045 (->8145)!)
10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59068, length 1398
16:31:29.549053 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18117, offset 0, flags [none], proto ICMP (1), length 1418)
192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59068, length 1398
16:31:30.535453 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17556, offset 0, flags [none], proto ICMP (1), length 1418, bad cksum 8040 (->8140)!)
10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59073, length 1398
16:31:30.567739 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18118, offset 0, flags [none], proto ICMP (1), length 1418)
192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59073, length 1398
16:31:31.549893 (authentic,confidential): SPI 0x73a9f4f1: (tos 0x0, ttl 126, id 17563, offset 0, flags [none], proto ICMP (1), length 1418, bad cksum 8039 (->8139)!)
10.19.1.150 > 192.168.165.77: ICMP echo request, id 95, seq 59080, length 1398
16:31:31.579935 (authentic,confidential): SPI 0x0594434b: (tos 0x0, ttl 63, id 18119, offset 0, flags [none], proto ICMP (1), length 1418)
192.168.165.77 > 10.19.1.150: ICMP echo reply, id 95, seq 59080, length 1398 -
MSS is TCP-only, it has no impact on ICMP, ICMP has no concept of MSS. It is setting the proper MSS clamping, just need to see some TCP traffic.
-
Today the max size is 1472 bytes.
ping -l 1473 doesn't reply.
ping -f -l 1473 says to clear DF bit.I have changed ICMP rules to allow any ICMP from WAN and IPSEC.
But the webpage isn't reachable.I can ping -l 1600 to bintec router, windows server, …
If i ping the areca controller over pfsense-pfsense it don't works to.
I never tried to ping a areca controller with ping -l 1473 befor. But the webpage worked befor.14:39:08.407301 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19449, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 2348573:2349945, ack 707714766, win 1446, length 1372 14:39:08.413007 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19449, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.414011 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19450, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 1446:2818, ack 1, win 1446, length 1372 14:39:08.414218 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19450, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.414473 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19451, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 2892:4264, ack 1, win 1446, length 1372 14:39:08.414563 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19451, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.415757 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19452, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 4338:5710, ack 1, win 1446, length 1372 14:39:08.418103 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19452, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.418361 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19453, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 5784:7156, ack 1, win 1446, length 1372 14:39:08.418449 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19453, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.418707 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19454, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 7230:8602, ack 1, win 1446, length 1372 14:39:08.418796 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19454, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.419072 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19455, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 8676:10048, ack 1, win 1446, length 1372 14:39:08.419240 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19455, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.420008 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19456, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 10122:11494, ack 1, win 1446, length 1372 14:39:08.420214 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19456, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.420469 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19457, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 11568:12940, ack 1, win 1446, length 1372 14:39:08.425213 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19457, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.425623 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19458, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 13014:14386, ack 1, win 1446, length 1372 14:39:08.426707 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19458, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.431746 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19459, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 14460:15832, ack 1, win 1446, length 1372 14:39:08.432700 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19459, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.432956 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19460, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 15906:17278, ack 1, win 1446, length 1372 14:39:08.442570 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19460, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.445738 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19461, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 17352:18724, ack 1, win 1446, length 1372 14:39:08.452087 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19461, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.452345 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19462, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 18798:20170, ack 1, win 1446, length 1372 14:39:08.452433 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19462, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.452691 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19463, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 20244:21616, ack 1, win 1446, length 1372 14:39:08.452777 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19463, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.454856 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19464, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 21690:23062, ack 1, win 1446, length 1372 14:39:08.460558 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19464, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.460815 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19465, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 23136:24508, ack 1, win 1446, length 1372 14:39:08.460902 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19465, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.461182 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19466, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 24582:25954, ack 1, win 1446, length 1372 14:39:08.461269 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19466, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.465121 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19467, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 26028:27400, ack 1, win 1446, length 1372 14:39:08.471804 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19467, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.472094 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19468, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 27474:28846, ack 1, win 1446, length 1372 14:39:08.472184 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19468, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.475465 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19469, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 28920:30292, ack 1, win 1446, length 1372 14:39:08.481864 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19469, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.485358 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19470, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 30366:31738, ack 1, win 1446, length 1372 14:39:08.490173 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19470, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.492229 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19471, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 31812:33184, ack 1, win 1446, length 1372 14:39:08.502702 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19471, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.502952 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19472, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 33258:34630, ack 1, win 1446, length 1372 14:39:08.503059 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19472, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.503318 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19473, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 34704:36076, ack 1, win 1446, length 1372 14:39:08.503406 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19473, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.503667 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19474, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 36150:37522, ack 1, win 1446, length 1372 14:39:08.503752 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19474, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.507621 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19475, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 37596:38968, ack 1, win 1446, length 1372 14:39:08.515412 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19475, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.515670 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19476, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 39042:40414, ack 1, win 1446, length 1372 14:39:08.515755 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19476, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.517566 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19477, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 40488:41860, ack 1, win 1446, length 1372 14:39:08.522265 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19477, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.524306 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19478, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 41934:43306, ack 1, win 1446, length 1372 14:39:08.531634 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19478, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.537688 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19479, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 43380:44752, ack 1, win 1446, length 1372 14:39:08.547253 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19479, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.547506 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19480, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 44826:46198, ack 1, win 1446, length 1372 14:39:08.547599 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19480, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.547855 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19481, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 46272:47644, ack 1, win 1446, length 1372 14:39:08.547943 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19481, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.548220 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19482, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 47718:49090, ack 1, win 1446, length 1372 14:39:08.548307 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19482, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.549670 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19483, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 49164:50536, ack 1, win 1446, length 1372 14:39:08.556243 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19483, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.556497 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19484, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 50610:51982, ack 1, win 1446, length 1372 14:39:08.556587 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19484, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.556974 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19485, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 52056:53428, ack 1, win 1446, length 1372 14:39:08.557082 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19485, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.562195 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19486, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 53502:54874, ack 1, win 1446, length 1372 14:39:08.566988 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19486, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.575062 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19487, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], seq 54948:56320, ack 1, win 1446, length 1372 14:39:08.575135 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19487, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.576140 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19488, offset 0, flags [none], proto TCP (6), length 1179) 192.168.165.77.80 > 10.19.1.150.49896: Flags [P.], cksum 0xe85a (correct), seq 56394:57533, ack 1, win 1446, length 1139 14:39:08.576547 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6612, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 705d (->715d)!) 10.19.1.150.49896 > 192.168.165.77.80: Flags [.], cksum 0x9d90 (correct), seq 1, ack 0, win 65070, length 0 14:39:08.753576 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6615, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 705a (->715a)!) 10.19.1.150.49896 > 192.168.165.77.80: Flags [R.], cksum 0x9bbb (correct), seq 1, ack 0, win 0, length 0 14:39:08.753829 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6616, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 7059 (->7159)!) 10.19.1.150.49897 > 192.168.165.77.80: Flags [R.], cksum 0x67ce (correct), seq 3295702231, ack 1106385, win 0, length 0 14:39:08.754041 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6617, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 7058 (->7158)!) 10.19.1.150.49898 > 192.168.165.77.80: Flags [R.], cksum 0xf8a7 (correct), seq 2938165598, ack 719301, win 0, length 0 14:39:08.757381 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6618, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 704f (->714f)!) 10.19.1.150.49901 > 192.168.165.77.80: Flags [s], cksum 0xc5f6 (correct), seq 1740833165, win 8192, options [mss 1200,nop,nop,sackOK], length 0 14:39:08.793422 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19489, offset 0, flags [+], proto TCP (6), length 1412) 192.168.165.77.80 > 10.19.1.150.49898: Flags [P.], seq 1:1373, ack 0, win 1446, length 1372 14:39:08.797895 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19489, offset 1392, flags [none], proto TCP (6), length 94) 192.168.165.77 > 10.19.1.150: tcp 14:39:08.798073 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19490, offset 0, flags [none], proto TCP (6), length 44) 192.168.165.77.80 > 10.19.1.150.49901: Flags [S.], cksum 0xd2c5 (correct), seq 2826592, ack 1740833166, win 1446, options [mss 1446], length 0 14:39:08.798411 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6620, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 7055 (->7155)!) 10.19.1.150.49901 > 192.168.165.77.80: Flags [.], cksum 0xf1eb (correct), seq 1, ack 1, win 65070, length 0 14:39:08.798794 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6621, offset 0, flags [DF], proto TCP (6), length 644, bad cksum 6df8 (->6ef8)!) 10.19.1.150.49901 > 192.168.165.77.80: Flags [P.], cksum 0x5a60 (correct), seq 1:605, ack 1, win 65070, length 604 14:39:08.831836 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19491, offset 0, flags [none], proto TCP (6), length 40) 192.168.165.77.80 > 10.19.1.150.49901: Flags [.], cksum 0xe818 (correct), seq 1, ack 605, win 1446, length 0 14:39:08.835273 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19492, offset 0, flags [none], proto TCP (6), length 770) 192.168.165.77.80 > 10.19.1.150.49901: Flags [P.], cksum 0x072c (correct), seq 1:731, ack 605, win 1446, length 730 14:39:08.837857 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6622, offset 0, flags [DF], proto TCP (6), length 926, bad cksum 6cdd (->6ddd)!) 10.19.1.150.49901 > 192.168.165.77.80: Flags [P.], cksum 0x2d71 (correct), seq 605:1491, ack 731, win 64340, length 886 14:39:08.838924 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6623, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 704a (->714a)!) 10.19.1.150.49902 > 192.168.165.77.80: Flags [s], cksum 0xc025 (correct), seq 1289560643, win 8192, options [mss 1200,nop,nop,sackOK], length 0 14:39:08.839899 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6624, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 7049 (->7149)!) 10.19.1.150.49903 > 192.168.165.77.80: Flags [s], cksum 0x81c1 (correct), seq 3762146629, win 8192, options [mss 1200,nop,nop,sackOK], length 0 14:39:08.868181 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19493, offset 0, flags [none], proto TCP (6), length 40) 192.168.165.77.80 > 10.19.1.150.49901: Flags [.], cksum 0xe1c8 (correct), seq 731, ack 1491, win 1446, length 0 14:39:08.872257 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19494, offset 0, flags [none], proto TCP (6), length 821) 192.168.165.77.80 > 10.19.1.150.49901: Flags [P.], cksum 0x3e12 (correct), seq 731:1512, ack 1491, win 1446, length 781 14:39:08.877155 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19495, offset 0, flags [none], proto TCP (6), length 44) 192.168.165.77.80 > 10.19.1.150.49902: Flags [S.], cksum 0x9167 (correct), seq 4611282, ack 1289560644, win 1446, options [mss 1446], length 0 14:39:08.877452 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6625, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 7050 (->7150)!) 10.19.1.150.49902 > 192.168.165.77.80: Flags [.], cksum 0xb08d (correct), seq 1, ack 1, win 65070, length 0 14:39:08.877946 (authentic,confidential): SPI 0x3bd016a4: (tos 0x0, ttl 126, id 6626, offset 0, flags [DF], proto TCP (6), length 924, bad cksum 6cdb (->6ddb)!) 10.19.1.150.49902 > 192.168.165.77.80: Flags [P.], cksum 0xf752 (correct), seq 1:885, ack 1, win 65070, length 884 14:39:08.878398 (authentic,confidential): SPI 0x0f45526b: (tos 0x0, ttl 63, id 19496, offset 0, flags [none], proto TCP (6), length 44) 192.168.165.77.80 > 10.19.1.150.49903: Flags [S.], cksum 0x4dc8 (correct), seq 4219411, ack 3762146630, win 1446, options [mss 1446], length 0 In firewall log as blocked: [code] Dec 8 14:40:03 enc0 192.168.165.77 10.19.1.150 TCP: Dec 8 14:40:03 enc0 192.168.165.77:80 10.19.1.150:49902 TCP:PA Dec 8 14:40:03 enc0 192.168.165.77 10.19.1.150 TCP: Dec 8 14:40:03 enc0 192.168.165.77:80 10.19.1.150:49902 TCP:PA Dec 8 14:40:00 enc0 192.168.165.77 10.19.1.150 TCP: Dec 8 14:40:00 enc0 192.168.165.77:80 10.19.1.150:49902 TCP:PA Dec 8 14:40:00 enc0 192.168.165.77 10.19.1.150 TCP: Dec 8 14:40:00 enc0 192.168.165.77:80 10.19.1.150:49902 TCP:PA Dec 8 14:39:57 enc0 192.168.165.77 10.19.1.150 TCP: Dec 8 14:39:57 enc0 192.168.165.77:80 10.19.1.150:49902 TCP:PA [/code] [/s][/s][/s]
-
Now i got a little bit further.
The areca controller never answer to fragmented pings.It seems the pfsense discards fragmented packets with psh set:
1249669.492 X DATA[1414] 0000: 00 00 45 00 05 84 0b d1 20 00 40 06 bd be 0a 13 ..E..... .@..... 0010: 76 29 0a 13 01 96 00 50 c6 29 00 1a 50 ef 41 9e v).....P.)..P.A. 0020: 21 f0 50 18 05 a6 !.P... IP-Packet from 10.19.118.41 to 10.19.1.150 protocol TCP Fragment: ID 3025 bytes 0 ... 1391 TCP-Message, sourceport 80 destinationport 50729 sequence number 1724655 acknowledgement number 1100882416 offset 5 flags ACK PSH window 1446 checksum 0x2809 urgent 0 1249669.500 X DATA[0096] 0000: 00 00 45 00 00 5e 0b d1 00 ae 40 06 e2 36 0a 13 ..E..^....@..6.. 0010: 76 29 0a 13 01 96 69 64 74 68 3d 22 39 38 25 22 v)....idth="98%" 0020: 3e 0d 0a 3c 74 72 >.. <tr<br>IP-Packet from 10.19.118.41 to 10.19.1.150 protocol TCP Fragment: ID 3025 bytes 1392 ... 1465</tr<br>
firewall log:
Dec 8 18:23:53 enc0 10.19.118.40:80 10.19.1.150:50729 TCP:PA
-
You have to allow fragments in the ipsec rule otherwise pf will drop them.
-
But fragmented ICMP works?
And how should i allow fragmented packets?1252982.843 R DATA[1630] 0000: 01 00 45 00 06 5c 48 5e 00 00 7d 01 65 23 0a 13 ..E..\H^..}.e#.. 0010: 01 96 0a 13 74 64 08 00 08 7c 00 66 3a 6e 61 62 ....td...|.f:nab 0020: 63 64 65 66 67 68 cdefgh IP-Packet from 10.19.1.150 to 10.19.116.100 protocol ICMP ICMP-Message , type echo request 1252982.851 X DATA[1414] 0000: 00 00 45 00 05 84 26 06 20 00 40 01 a5 53 0a 13 ..E...&. .@..S.. 0010: 74 64 0a 13 01 96 00 00 10 7c 00 66 3a 6e 61 62 td.......|.f:nab 0020: 63 64 65 66 67 68 cdefgh IP-Packet from 10.19.116.100 to 10.19.1.150 protocol ICMP Fragment: ID 9734 bytes 0 ... 1391 ICMP-Message , type echo reply 1252982.851 X DATA[0238] 0000: 00 00 45 00 00 ec 26 06 00 ae 40 01 c9 3d 0a 13 ..E...&...@..=.. 0010: 74 64 0a 13 01 96 65 66 67 68 69 6a 6b 6c 6d 6e td....efghijklmn 0020: 6f 70 71 72 73 74 opqrst IP-Packet from 10.19.116.100 to 10.19.1.150 protocol ICMP Fragment: ID 9734 bytes 1392 ... 1607
19:14:29.530989 (authentic,confidential): SPI 0x10907845: (tos 0x0, ttl 126, id 20210, offset 0, flags [none], proto ICMP (1), length 1628, bad cksum 5d0f (->5d8f)!) 10.19.1.150 > 10.19.116.100: ICMP echo request, id 102, seq 16025, length 1608 19:14:29.599466 (authentic,confidential): SPI 0x07d35b41: (tos 0x0, ttl 63, id 3056, offset 0, flags [+], proto ICMP (1), length 1412) 10.19.116.100 > 10.19.1.150: ICMP echo reply, id 102, seq 16025, length 1392 19:14:29.599611 (authentic,confidential): SPI 0x07d35b41: (tos 0x0, ttl 63, id 3056, offset 1392, flags [none], proto ICMP (1), length 236) 10.19.116.100 > 10.19.1.150: icmp
-
The MSS clamping is doing exactly what you have it configured to do:
10.19.1.150.49902 > 192.168.165.77.80: Flags [s], cksum 0xc025 (correct), seq 1289560643, win 8192, options [mss 1200,nop,nop,sackOK] There isn't any ability to allow/deny fragments on a per-rule basis, not sure what Ermal is referring to. [/s]
-
I've had a similar problem in pfSense 1.23 where other VPN devices (Sonicwalls) worked fine. Through a site VPN to my work, I cannot get to certain internal web pages. I tried all manners of MSS, MTU and DF bit changes on pfSense to no avail. All other firewalls I tried worked fine. In the end, I had to just lower the MTU on my Windows machines in my home to make it work.
'Not sure where the fix could be, but like I said, all other VPN enabled firewalls I've tried (Sonicwall, Cisco, Netscreen) worked fine.
-
I've had a similar problem in pfSense 1.23 where other VPN devices (Sonicwalls) worked fine. Through a site VPN to my work, I cannot get to certain internal web pages. I tried all manners of MSS, MTU and DF bit changes on pfSense to no avail. All other firewalls I tried worked fine. In the end, I had to just lower the MTU on my Windows machines in my home to make it work.
That's why we added MSS clamping for VPNs (which works fine).
-
Why blocks the pfsense fragmented psh packets?
Or is there an other reason? Small packets with psh will pass.1249669.492 X DATA[1414] 0000: 00 00 45 00 05 84 0b d1 20 00 40 06 bd be 0a 13 ..E..... .@..... 0010: 76 29 0a 13 01 96 00 50 c6 29 00 1a 50 ef 41 9e v).....P.)..P.A. 0020: 21 f0 50 18 05 a6 !.P... IP-Packet from 10.19.118.41 to 10.19.1.150 protocol TCP Fragment: ID 3025 bytes 0 ... 1391 TCP-Message, sourceport 80 destinationport 50729 sequence number 1724655 acknowledgement number 1100882416 offset 5 flags ACK PSH window 1446 checksum 0x2809 urgent 0 1249669.500 X DATA[0096] 0000: 00 00 45 00 00 5e 0b d1 00 ae 40 06 e2 36 0a 13 ..E..^....@..6.. 0010: 76 29 0a 13 01 96 69 64 74 68 3d 22 39 38 25 22 v)....idth="98%" 0020: 3e 0d 0a 3c 74 72 >..<tr<br> IP-Packet from 10.19.118.41 to 10.19.1.150 protocol TCP Fragment: ID 3025 bytes 1392 ... 1465</tr<br>