OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: bb-mitch on June 09, 2016, 12:30:55 am

Title: fragments blocked - am I missing something?
Post by: bb-mitch on June 09, 2016, 12:30:55 am

pfSense seems to have a similar / related issue: Bug #4723

What I am trying to do is capture UDP packets on the LAN - those packets should be reaching a remote service (albeit fragmented) as they are about 2000 bytes each. This is not my app or design - this is related to network monitoring and a function of network device hardware / firmware and beyond my control. So unfortunately "make the packets smaller" isn't an option ;-)

Ideally I want the packets passed out on the WAN, but I don't think they are arriving at their destination so I started working backwards.

To diagnose the issue - I tried doing a packet capture on the LAN interface. There is an allow rule, allowing the traffic and routing it to a gateway group. The packet capture reports that a packet was received, and reports a size around 1650 bytes, but when I download the packet capture it looks like only the first fragment was captured.

What I see in my capture is a fragmented IP packet (length 1514).

I never see the second fragment so I can't reassemble the packets in the capture.

I assume that IF the traffic isn't being blocked, that the outbound traffic is also likely missing the second fragment. That means of course that the end service never sees the traffic in a way that it can assemble / parse the data.

I've tried turning off scrubbing (System / Settings / Firewall/NAT / Disable Firewall Scrub). I've also tried checking "Clear invalid DF bits instead of dropping the packets" - that didn't help either. The firewall rules show TCP flag options - but no UDP flag options that might change the handling of UDP fragments...

Any ideas appreciated!

Thank you in advance!

Title: Re: fragments blocked - am I missing something?
Post by: AdSchellevis on June 09, 2016, 07:58:44 pm

Hi bb-mitch,

For 16.7 we have configurable scrub options on stack, so you can set you rules more fine grained (and set other options as well).
We could add another marker to "Disable automatic interface rules", if scrub causes your issue, you should be able to work your way around it then.

Best regards,

Ad

Title: Re: fragments blocked - am I missing something?
Post by: bb-mitch on June 10, 2016, 12:40:43 am

Thanks Ad - we will take a look at that... I was looking on the mirrors and only see 16.1 - is there a different release method for the 16.7? I'll look more at it soon! I think the scrub is the issue - will look forward to trying those new settings out when I have a few to do the switch.

Thanks for the help :-) It's great to see some of the enhancements this new project is bringing.

Cheers,

Mitch

Title: Re: fragments blocked - am I missing something?
Post by: Andreas on June 10, 2016, 06:45:24 am

Hi Mitch,
the Firmware version 16.7 will be relased in July. You could now test a Beta of 16.7.
How to test the Beta/Development Version https://forum.opnsense.org/index.php?topic=917.0

Forum to the 16.7 beta
https://forum.opnsense.org/index.php?board=20.0

Greets
andreas

Title: Re: fragments blocked - am I missing something?
Post by: bb-mitch on June 10, 2016, 07:59:19 am

Thanks Andreas. Will give it a shot ASAP and follow up with results.
Cheers!

M

Title: Re: fragments blocked - am I missing something?
Post by: AdSchellevis on June 10, 2016, 11:37:08 am

Hi Mitch,

After installing the development version, you probably want to add this patch as well (to disable all standard scrubbing).

https://github.com/opnsense/core/commit/c38a74bb9d0a21695df48787d247f968b99d1c44 (https://github.com/opnsense/core/commit/c38a74bb9d0a21695df48787d247f968b99d1c44)

easy to do from the command line :

Code: [Select]

opnsense-patch c38a74bb9d

Best regards,

Ad