Packets blocked with "IPx bad-hlen x"



  • Good time of the day!

    Noticed there is a problem with my Internet connection. Some websites won't open, some take an unusually long time to load. It turns out, the firewall sees lots of bad packets, blocking many of them:

    Apr 6 13:19:44	pf: 00:00:00.468621 rule 3..16777216/0(match): block in on pppoe0: IP13 bad-hlen 0
    Apr 6 13:19:44	pf: 00:00:00.000003 rule 5..16777216/0(match): block in on vmx1: truncated-ip6 - 65025 bytes missing!(class 0x08, flowlabel 0x311ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
    Apr 6 13:19:44	pf: 00:00:00.000005 rule 5..16777216/0(match): block in on bridge0: truncated-ip6 - 65025 bytes missing!(class 0x08, flowlabel 0x311ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
    Apr 6 13:19:44	pf: 00:00:00.441686 rule 5..16777216/0(match): block in on vmx1: truncated-ip6 - 65025 bytes missing!(class 0x08, flowlabel 0x311ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
    Apr 6 13:19:43	pf: 00:00:02.866999 rule 3..16777216/0(match): block in on pppoe0: IP6 , wrong link-layer encapsulationbad-hlen 16
    Apr 6 13:19:40	pf: 00:00:00.000003 rule 5..16777216/0(match): block in on vmx1: truncated-ip6 - 64537 bytes missing!(class 0x26, flowlabel 0xb11ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
    Apr 6 13:19:40	pf: 00:00:00.000007 rule 5..16777216/0(match): block in on bridge0: truncated-ip6 - 64537 bytes missing!(class 0x26, flowlabel 0xb11ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
    Apr 6 13:19:40	pf: 00:00:02.231246 rule 5..16777216/0(match): block in on vmx1: truncated-ip6 - 64537 bytes missing!(class 0x26, flowlabel 0xb11ff, hlim 0, next-header Options (0) payload length: 65152) ::494:e9b8:4733:7f1f:ff02:0 > ::fb:14e9:14e9: [|HBH]
    Apr 6 13:19:38	pf: 00:00:00.305554 rule 3..16777216/0(match): block in on pppoe0: IP12 bad-len 0
    --- snip ---
    Apr 6 13:15:58	pf: 00:00:00.224242 rule 3..16777216/0(match): block in on pppoe0: IP11 bad-hlen 12
    Apr 6 13:15:58	pf: 00:00:01.754476 rule 3..16777216/0(match): block in on pppoe0: IP2 bad-hlen 12
    Apr 6 13:15:56	pf: 00:00:00.178536 rule 3..16777216/0(match): block in on pppoe0: IP0 bad-hlen 0
    Apr 6 13:15:56	pf: 00:00:01.037411 rule 102..16777216/0(match): pass out on pppoe0: IP0 bad-hlen 0
    Apr 6 13:15:55	pf: 00:00:02.782820 rule 102..16777216/0(match): pass out on pppoe0: IP6 , wrong link-layer encapsulationbad-hlen 8
    Apr 6 13:15:52	pf: 00:00:00.037165 rule 3..16777216/0(match): block in on pppoe0: IP0 bad-hlen 0
    Apr 6 13:15:52	pf: 00:00:00.057242 rule 3..16777216/0(match): block in on pppoe0: IP11 bad-hlen 8
    Apr 6 13:15:52	pf: 00:00:01.900704 rule 102..16777216/0(match): pass out on pppoe0: IP5 bad-len 0
    Apr 6 13:15:50	pf: 00:00:01.213334 rule 3..16777216/0(match): block in on pppoe0: IP0 bad-hlen 0
    Apr 6 13:15:49	pf: 128.63.2.53 > 8.0.122.9: ip-proto-141
    Apr 6 13:15:49	pf: 00:00:00.912062 rule 102..16777216/0(match): pass out on pppoe0: IP5 truncated-ip - 16348 bytes missing! (tos 0xd7,CE, ttl 213, id 16129, offset 19080, flags [+, DF, rsvd], proto unknown (141), length 16384, options (unknown 187 [bad length 85]))
    Apr 6 13:15:48	pf: 00:00:04.768635 rule 3..16777216/0(match): block in on pppoe0: IP3 bad-len 0
    Apr 6 13:15:44	pf: 173.194.44.46 > 67.66.1.187: ip-proto-141
    Apr 6 13:15:44	pf: 00:00:00.057635 rule 102..16777216/0(match): pass out on pppoe0: IP10 truncated-ip - 16324 bytes missing! (tos 0x9c, ttl 213, id 16134, offset 22424, flags [DF], proto unknown (141), length 16384, options (unknown 33 [bad length 19]), bad cksum 9aaa (->f5e)!)
    Apr 6 13:15:43	pf: 00:00:02.272259 rule 102..16777216/0(match): pass out on pppoe0: IP1 bad-len 0
    Apr 6 13:15:41	pf: 195.140.195.61 > 8.0.217.19: ip-proto-141
    Apr 6 13:15:41	pf: 00:00:02.960174 rule 102..16777216/0(match): pass out on pppoe0: IP5 truncated-ip - 16348 bytes missing! (tos 0xb6,ECT(0), ttl 213, id 16129, offset 16608, flags [+, DF, rsvd], proto unknown (141), length 16384, options (unknown 134 [bad length 173]))
    Apr 6 13:15:38	pf: 199.7.91.13 > 8.0.111.87: ip-proto-141
    Apr 6 13:15:38	pf: 00:00:04.046507 rule 102..16777216/0(match): pass out on pppoe0: IP5 truncated-ip - 16348 bytes missing! (tos 0x8e,ECT(0), ttl 213, id 16129, offset 28624, flags [DF], proto unknown (141), length 16384, options (unknown 85 [bad length 147]))
    Apr 6 13:15:34	pf: 00:00:01.469478 rule 3..16777216/0(match): block in on pppoe0: IP11 bad-hlen 0
    Apr 6 13:15:33	pf: 00:00:00.681547 rule 3..16777216/0(match): block in on pppoe0: IP0 bad-hlen 0
    

    Tried googling the same kind of problem, the only advice I found is to disable TSO. Disabling TSO and even LRO didn't help, the problem persists.
    pfSense is running on ESXi 5.5U1, using VMXNET3 for NICs.
    Thanks in advance for any help!

    2.2-ALPHA (amd64)
    built on Thu Apr 3 01:45:59 CDT 2014



  • It seems that the issue is not with the driver, since same errors appear when using an emulated E1000 NIC.


Log in to reply