Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall apparently dropping reply fragments

    Firewalling
    3
    3
    2252
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tseeley last edited by

      Situation:

      linuxclient –> pfsense --> JuniperFW - - - (VPN) - - - JuniperFW --> DellDrac5

      The problem appears to be that pfsense is dropping replies to largish packets that have been fragmented in transit.  This has been tested using "ping -s 1419 -M dont"

      Having done some packet captures on both interfaces of the pfsense machine, I can see the pings going out and a fragmented reply returning (which pfsense appears to reassemble).  However at this point pfsense does 1 of 2 things:

      1. if scrubbing is left enabled, the reply packet is (presumably) scrubbed, and passed, however doing this mucks up the checksum and the client doesn't recognise it as a reply.

      2. if scrubbing is disabled the reply packet is dropped.

      I have a pcap file from the WAN interface if that helps.

      The scrubbing implies to me that pfsense thought that there was something wrong with the packet, but I don't know what, could someone more bsd leaning help me out?

      This pfsense cluster replaced a rather old and crusty Linux box which never had this problem.  I've been really impressed with pfsense so far and I would really like to solve this niggly problem.

      Thanks,

      Tom.

      1 Reply Last reply Reply Quote 0
      • P
        paulwollner last edited by

        Do you have checksum offloading enabled on your nic?

        If you do, outbound packets will fail cksum when viewed with tcpdump. Th nic should put the correct checksum in the packet which happens after you see the packet with tcpdump. If you do a dump on the client machine, do you see a checksum problem on the received packet there?

        You can disable checksums using ifconfig. Something like: ifconfig bge0 -rxcsum -txcsum to see if that helps.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich last edited by

          System -> Advanced has an option for disabling offload Csum.  Might be worth a shot to enable that option.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense Plus
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy