PS4, IP Fragmentation, and Suricata



  • Hello Everyone,

    I recently decided to shift my router usage to a pfSense based system. Since my office is at home, I need the router to support both business and home oriented usage. This means security without blocking usage.

    I was able to set up vanilla pfSense 2.2.2 with everything (apparently) working correctly, even multiplayer video gaming. (Though I'm still not sure if voice chat is working with a Playstation 4.) So the next step was to add security. So I decided to add the Suricata package (2.1.5). Following guides I found, I set it up to use the following rule sets:

    • ETOpen

    • Snort VRT Free (Registered)

    • Snort Community

    Lacking any kind of guidance on exactly which rules to use, I just went ahead and enabled them all. Most things seem to be running correctly, but not all.

    Last night I was playing Destiny and realized that I had not seen a single other player for more than an hour. What triggered that realization was that I had gone to the social area where there are always other players around. Obviously it was adding Suricata that caused the problem.

    After more troubleshooting, I found that the PS4 is reporting that the NAT type is 2 (as it should be), but it's also reporting that IP packet fragmentation is being blocked, which could have a negative effect on games. So apparently Sony considers that be a feature they explicitly make use of. But all I've been able to find on the subject is that it's a security problem, thus the obvious reason for Suricata blocking it.

    So my question is, how do I solve this? Are there specific rules I can (or should) disable? Can I tell Suricata to let everything through to a particular address? (The game consoles are assigned a static internal IP address.) Any other suggestions?

    Thanks for the help. (Some of which I've already gotten by reading other posts!)



  • Apparently this is a difficult issue. Does anyone know where I can get these answers?



  • No suggestions at all?  ???

    That's very discouraging.  :(



  • Have you tried adding the IP address for your PS4 to a whitelist in Suricata?


  • LAYER 8 Global Moderator

    This thread is from june..  That error message is so generic is pathetic.. Could be a problem with a double nat on the OP part, could be a mtu issue?  Could be isp issue, could be an issue with connectivity between him and PSN.. Or sure it could be suricata causing his issue and the ip frag message has nothing to do with it at all.

    But again this is over 5 months old, I would think the OP figured out and didn't care enough to update the thread for any other smuck having issue and finding this thread..  That OP has 3 whole posts, all in this thread….



  • No, I was never able to figure it out. I've been running without Suricata.  :(


  • Banned

    @EWTHeckman:

    No, I was never able to figure it out.

    No wonder. With approach like

    Lacking any kind of guidance on exactly which rules to use, I just went ahead and enabled them all.

    you sure like hell are way better off without running the package. This is NOT how it works. It ain't click click enable done forget it stuff. Never has been, never will be.



  • @doktornotor:

    you sure like hell are way better off without running the package. This is NOT how it works. It ain't click click enable done forget it stuff. Never has been, never will be.

    Which is why I needed—and asked for(!)—help. And now, after many months, you guys are dumping on my for doing that. Great, just great.


  • Banned

    @EWTHeckman:

    Which is why I needed—and asked for(!)—help.

    You will NOT get any instant recipe either. It's just NOT how it works. Read the IDS/IPS forum, invest time in reading, learning, getting the info to get rid of the most common false positives, then you can go on with tuning the thing. You should run it for a couple of weeks without any blocking, study the alerts/logs and keep modifying the configuration.

    "Hey tell me how do I do it" won't work. What works for me won't work for you - I for instance do exactly ZERO gaming. You need different kind of rules for a gaming rig, you need something different for running a webserver farm behind Snort/Suricata.


Log in to reply