"
It appears that OPNSense (and its cousin PFSense) has a long-standing bug whereby if a UDP packet comes in that was fragmented because it exceeded 1500 bytes, then the packets are dropped by OPNSense, and not forwarded. There aren't many people sending UDP packets that big in the universe, because the whole point of UDP is to be a nice single packet, and fragmenting them makes you wonder why they aren't sending by TCP in the first place, but in telephony, SIP INVITE messages are sent via UDP, and sometimes, maybe 0.01% of the time, a SIP user agent (telephone) will have so many supported codecs that it goes slightly over the 1500 byte limit, and on its way out to the internet gets split into a 1500 byte and a 28 byte packet for example. OPNSense just doesn't seem to handle these right; i would hope that it would assemble the fragments, look over the packets and then send the two individual packets out again after they passed muster, or even just send them through, applying whatever rules to the disassembled pieces. I dont really care, but whatever it is doing, it is either dropping them or mangling them, and in our configuration, which is a transparent bridge mode, it isn't transparent at all... any help is appreciated. I suspect this is a bug in the underlying OS, and might not even be fixable in OPNSense.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / how to get around bug in fragmented UDP packets?
April 06, 2018, 09:01:07 AM #2
General Discussion / how to set up MTU properly; fragmented UDP packets getting truncated
March 01, 2018, 09:04:03 PM
I am getting a 1507 byte UDP packet, and as i set up OPNSense as a transparent bridge, my igb0 and ibg1 ethernet ports were set at the typical 1500 byte limit. But when a 1507 UDP packet comes in as a fragmented packet, the firewall ends up truncating the packet. Do i need to set the bridge port (i think called OPT1) to have an MTU of 1492? I can't find any examples of how to do this correctly, and clearly i am getting screwed because i don't have the parameters set just right. Or do you set the MTU to 9000 across the board? TCP doesn't have this problem because TCP has a mechanism for determining MTU on a path, but UDP is a one shot, one way ticket on the information superhighway, so you gotta be careful... or is this just a known bug in OPNSense whereby fragmented UDP packets are not handled correctly, and are silently truncated?
surely i can't be the first person to bump against this. A prize to whomever helps me resolve this.
surely i can't be the first person to bump against this. A prize to whomever helps me resolve this.
Pages1
