Allow fragmented packets (for att microcell to work) Please help.



  • Hello everyone,

    I've spent the last 2 days pulling my hair out trying to figure out why my att microcell refuses to work behind pfsense, but works fine when plugged directly into the modem. The only thing i haven't been able to try is enabling fragmented packets, i just don't know how. Is there some way of doing this for a specific ip or can it only be done globally? How is this done? Thank you very much for any help!

    These are all the requirements from att to let this work, from what i gather it creates an ipsec tunnel and uses nat-t and somewhere along the line there is a problem with the ipsec tunnel caused by not allowing fragmented packets?

    Requirements from ATT from another post I found

    DHCP is on
    MTU is set to 1492
    MAC address filtering is either turned off or allowing the MAC address of the AT&T 3G MicroCell
    IPSec Pass-Through is Enabled
    Block Fragmented Packets is Disabled
    TCP/UDP Ports
    NOTE: All ports listed need to be configured for inbound and outbound connections.
    123/UDP: NTP timing (NTP traffic)
    443/TCP: Https over TLS/SSL for provisioning and management traffic
    4500/UDP: IPSec NAT Traversal (for all signaling, data, voice traffic)
    500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used)
    4500/UDP: After NAT detection, 4500/UDP is used



  • I just installed ipfire on the same hardware just to test, and my microcell connected immediately. I'm really thinking this is the cause now. I really want to continue using pfsense but don't know how.



  • I also am using a AT&T microcell but I don't have that option to allow fragmented packets. Mine works just fine.



  • @podilarius:

    I also am using a AT&T microcell but I don't have that option to allow fragmented packets. Mine works just fine.

    I've spent a very long time googling this, the problem is hit and miss with pfsense users along with people using various other firewall appliances. The only commonly posted solution that actually seems to work is allowing packet fragmentation. I'm glad yours is working out of the box, mine refuses to.



  • Out of the box? Nah … it has traffic shaping on it. not sure if that does anything with fragments, but that is on only extra thing I have going. I also have a voip vlan running through pfsense. Once you set the option to clear df bits instead of dropping, did it start working for you?



  • @podilarius:

    Out of the box? Nah … it has traffic shaping on it. not sure if that does anything with fragments, but that is on only extra thing I have going. I also have a voip vlan running through pfsense. Once you set the option to clear df bits instead of dropping, did it start working for you?

    Nope, clear df bits, disable scrubbing, conservative firewall optimizations, manual outbound nat with and without static port, forwarding all the required ports, setting MTU 1492 on WAN, disable hardware checksum offload, none of those options have done anything to help.



  • One thing I also did on the microcell was to create a reservation in DHCP to make sure I know what IP it has for traffic shaping.
    What version of pfSense are you using? I have used my microcell under 1.2.3, 2.0.1, and 2.1 (all 32 bit). I did have some trouble with it in 1.2.3 with dropped calls. ATT did have to make a change in the settings to stabilize it.



  • @podilarius:

    One thing I also did on the microcell was to create a reservation in DHCP to make sure I know what IP it has for traffic shaping.
    What version of pfSense are you using? I have used my microcell under 1.2.3, 2.0.1, and 2.1 (all 32 bit). I did have some trouble with it in 1.2.3 with dropped calls. ATT did have to make a change in the settings to stabilize it.

    Sorry I forgot to mention I created a static dhcp lease for the microcell, it's one of the first things I did. I'm running 2.0.1, packet captures in wireshark have been showing tons of fragmentation related problems :( very similar to posts I've read regarding m0n0wall and IPSec as well as others with microcells in my position who never posted solutions.



  • I had ATT work with us to resolve stability issues. Perhaps setting the MSS on WAN to something lower than WAN MTU would help. Perhaps to 1200 or 1000.



  • @podilarius:

    I had ATT work with us to resolve stability issues. Perhaps setting the MSS on WAN to something lower than WAN MTU would help. Perhaps to 1200 or 1000.

    I really appreciate the help, thank you. I'm running the amd64 build, on the off chance i'm encountering some insane bug ill give i386 a shot..figure it can't hurt. I'll also try playing with the MSS and i just found the option for setting MSS on vpn traffic under advanced > misc so ill try that as well.



  • I wanted to post a follow up to this, I found my solution. Switching to the i386 version of pfsense solved everything. Out of the box, 0 configuration options changed the microcell just connects and works fine. I went crazy with every option i could think of on 2 different installs of the 64bit pfsense, so my uneducated guess is that there is a bug with the 64bit build that effects this somehow. Hopefully this helps someone in the future!



  • I have a customer with the 64bit version of 2.1 working with a microcell just fine.  Might be a solution for you…



  • @chpalmer:

    I have a customer with the 64bit version of 2.1 working with a microcell just fine.  Might be a solution for you…

    I'll give this a shot when 2.1 is pushed to stable, but until then i don't really have any need for 64bit. I just default to 64bit for everything in general and didn't really think there would be any down sides.


Locked