fragments blocked - am I missing something?

[bb-mitch]

pfSense seems to have a similar / related issue: Bug #4723

What I am trying to do is capture UDP packets on the LAN - those packets should be reaching a remote service (albeit fragmented) as they are about 2000 bytes each. This is not my app or design - this is related to network monitoring and a function of network device hardware / firmware and beyond my control. So unfortunately "make the packets smaller" isn't an option ;-)

Ideally I want the packets passed out on the WAN, but I don't think they are arriving at their destination so I started working backwards.

To diagnose the issue - I tried doing a packet capture on the LAN interface. There is an allow rule, allowing the traffic and routing it to a gateway group. The packet capture reports that a packet was received, and reports a size around 1650 bytes, but when I download the packet capture it looks like only the first fragment was captured.

What I see in my capture is a fragmented IP packet (length 1514).

I never see the second fragment so I can't reassemble the packets in the capture.

I assume that IF the traffic isn't being blocked, that the outbound traffic is also likely missing the second fragment. That means of course that the end service never sees the traffic in a way that it can assemble / parse the data.

I've tried turning off scrubbing (System / Settings / Firewall/NAT / Disable Firewall Scrub). I've also tried checking "Clear invalid DF bits instead of dropping the packets" - that didn't help either. The firewall rules show TCP flag options - but no UDP flag options that might change the handling of UDP fragments...

Any ideas appreciated!

Thank you in advance!

[AdSchellevis]

Hi bb-mitch,

For 16.7 we have configurable scrub options on stack, so you can set you rules more fine grained (and set other options as well).
We could add another marker to "Disable automatic interface rules", if scrub causes your issue, you should be able to work your way around it then.

Best regards,

Ad

[bb-mitch]

Thanks Ad - we will take a look at that... I was looking on the mirrors and only see 16.1 - is there a different release method for the 16.7? I'll look more at it soon! I think the scrub is the issue - will look forward to trying those new settings out when I have a few to do the switch.

Thanks for the help :-) It's great to see some of the enhancements this new project is bringing.

Cheers,

Mitch

[Andreas]

Hi Mitch,
the Firmware version 16.7 will be relased in July. You could now test a Beta of 16.7.
How to test the Beta/Development Version https://forum.opnsense.org/index.php?topic=917.0

Forum to the 16.7 beta
https://forum.opnsense.org/index.php?board=20.0

Greets
andreas

[bb-mitch]

Thanks Andreas. Will give it a shot ASAP and follow up with results.
Cheers!

M

[AdSchellevis]

Hi Mitch,

After installing the development version, you probably want to add this patch as well (to disable all standard scrubbing).

https://github.com/opnsense/core/commit/c38a74bb9d0a21695df48787d247f968b99d1c44

easy to do from the command line :

Code: [Select]

opnsense-patch c38a74bb9d

Best regards,

Ad