IRC disconnections due to fragment reassemble

horstefan

Hi,

Since a week or so im using Pfsense in a production environement and i'm encountering a serious issue
im using Pfsense to shield my windows vps server (both hosted on esxi5) with NAT enabled

users are connecting to irc (port 6667) fine, however sometimes this occurs, and the user is disconnected:

block
Aug 9 15:46:30 WAN xx.xx.96.234:55220 192.168.10.100:6667 TCP:RA
block
Aug 9 15:46:14 WAN xx.xx.96.234:55220 192.168.10.100:6667 TCP:PA
(goes on 10 times more)

after this the user reconnects without any further problems
when i click on more details, this shows up:

The rule that triggered this action is:

@1 scrub in on em1 all fragment reassemble
@1 block drop in log all label "Default deny rule"

i found an old topic discussing snapshot 2.0, however im running the latest version of pfsense.

is there a workaround or can this be fixed in an update?

Stefan

edit1:
version pfsense:
2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6

jimp

That doesn't have anything to do with fragment reassemble, it just also happens to match the rule number that blocked it, 1.

http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F