answer-to automatic firewall rule generation issue

[danielm]

Hello there, I think I am facing an issue with opnsense 20.1.
Situation is as follows: 2 Sites connected via wireguard VPN, I am pinging from one side to the other and waiting for an answer. The MTU of the wireguard interface is 1400 on both sides.
Following problem occurs: When sending pings that result in packets bigger than 1400 bytes, naturally, the packet needs to be splitted. This is done correctly, and an answer comes back. This answer consists of multiple packets, which I expected, would get merged together and sent back to the pinging machine.
The answer gets lost, though, because the firewall blocks it.
It seems it doesn't expect multiple packets and thus the default block rule for incoming stuff kicks in:

Code Select Expand


# ping -M dont -s 1372 -c 1 10.2.1.12
PING 10.2.1.12 (10.2.1.12) 1372(1400) bytes of data.
1380 bytes from 10.2.1.12: icmp_seq=1 ttl=62 time=40.5 ms

--- 10.2.1.12 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 40.587/40.587/40.587/0.000 ms


Code Select Expand


# ping -M dont -s 1373 -c 1 10.2.1.12
PING 10.2.1.12 (10.2.1.12) 1373(1401) bytes of data.

--- 10.2.1.12 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


Now the firewall live log for this ping reveals why the answer doesnt come back, which you can see in the attachments. For all even bigger sizes, it looks the same.

Now since I'm not an expert, maybe I misunderstand something here but it looks wrong to me.
Maybe someone more knowledgeable can shed some light on this issue.