Clearing IP Do-Not-Fragment in Firewall Normalizations causes issues

Started by seed, January 24, 2024, 08:54:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 24, 2024, 08:54:29 PM
I have the problem that clearing the DF-Bit using normalisation causes service disruptions.
Sites like Reddit or Github wont work any longer when "no-df" is set.



Go to: "Firewall: Settings: Normalization"
Click on "IP Do-Not-Fragment"
Browse to https://github.com/opnsense/core/ or try to read a reddit post.
Sites dont function as expected



When directly connected to my router things work as expected. When "IP Do-Not-Fragment" is disabled everything works fine.
But enabling "IP Do-Not-Fragment" causes issues.

Please check on your own setup and report back. This bugs me.
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use
January 24, 2024, 10:15:07 PM #1
If you clear do not fragment that will essentially disable path MTU discovery. Possibly some intermediate system or the firewall of the services you try to use decides to drop fragments altogether.

This is common practice in ingress firewalls protecting web services.

May I ask why one would want to do that - clear DF, that is?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions