1
General Discussion / how to get around bug in fragmented UDP packets?
« on: April 06, 2018, 09:01:07 am »
It appears that OPNSense (and its cousin PFSense) has a long-standing bug whereby if a UDP packet comes in that was fragmented because it exceeded 1500 bytes, then the packets are dropped by OPNSense, and not forwarded. There aren't many people sending UDP packets that big in the universe, because the whole point of UDP is to be a nice single packet, and fragmenting them makes you wonder why they aren't sending by TCP in the first place, but in telephony, SIP INVITE messages are sent via UDP, and sometimes, maybe 0.01% of the time, a SIP user agent (telephone) will have so many supported codecs that it goes slightly over the 1500 byte limit, and on its way out to the internet gets split into a 1500 byte and a 28 byte packet for example. OPNSense just doesn't seem to handle these right; i would hope that it would assemble the fragments, look over the packets and then send the two individual packets out again after they passed muster, or even just send them through, applying whatever rules to the disassembled pieces. I dont really care, but whatever it is doing, it is either dropping them or mangling them, and in our configuration, which is a transparent bridge mode, it isn't transparent at all... any help is appreciated. I suspect this is a bug in the underlying OS, and might not even be fixable in OPNSense.