IRC disconnections due to fragment reassemble



  • Hi,

    Since a week or so im using Pfsense in a production environement and i'm encountering a serious issue
    im using Pfsense to shield my windows vps server (both hosted on esxi5) with NAT enabled

    users are connecting to irc (port 6667) fine, however sometimes this occurs, and the user is disconnected:

    block
    Aug 9 15:46:30 WAN xx.xx.96.234:55220 192.168.10.100:6667 TCP:RA
    block
    Aug 9 15:46:14 WAN xx.xx.96.234:55220 192.168.10.100:6667 TCP:PA
    (goes on 10 times more)

    after this the user reconnects without any further problems
    when i click on more details, this shows up:

    The rule that triggered this action is:

    @1 scrub in on em1 all fragment reassemble
    @1 block drop in log all label "Default deny rule"

    i found an old topic discussing snapshot 2.0, however im running the latest version of pfsense.

    is there a workaround or can this be fixed in an update?

    Stefan

    edit1:
    version pfsense:
    2.0.1-RELEASE (i386)
    built on Mon Dec 12 17:53:52 EST 2011
    FreeBSD 8.1-RELEASE-p6


  • Rebel Alliance Developer Netgate

    That doesn't have anything to do with fragment reassemble, it just also happens to match the rule number that blocked it, 1.

    http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F


Locked