Netgate SG-1000 microFirewall

Author Topic: [SOLVED] NAT not working on fragmented packets?  (Read 132 times)

0 Members and 1 Guest are viewing this topic.

Offline grl

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
[SOLVED] NAT not working on fragmented packets?
« on: October 31, 2017, 04:35:35 pm »
Hi!
I discovered that communication with IP-Packets over a certain size would not work.
I have a pf-sense box opening a tunnel and traffic over that tunnel would stop if the packet size was over a certain size. As the tunnel has an MTU<1500 that happens quite frequently.

To narrow down the problem i made a test-setup:

Code: [Select]
192.168.12.0/24 - [pf-sense-box] - 10.11.38.0/24 - [another router] - internet
In the 10.11.38.0/24 subnet I added a box running tcpdump to see whats going on after the pf-sense-box.

There I discovered that for fragmented packets no NAT is done.

A tcpdump for a
Code: [Select]
ping -s 1000 8.8.8.8 shows:
Code: [Select]
22:20:50.570676 IP 10.11.38.253 > 8.8.8.8: ICMP echo request, id 58688, seq 1, length 1008
22:20:50.622136 IP 8.8.8.8 > 10.11.38.253: ICMP echo reply, id 58688, seq 1, length 1008

and for
Code: [Select]
ping -s 1500 8.8.8.8 I get:
Code: [Select]
22:20:47.426244 IP 192.168.12.101 > 8.8.8.8: ICMP echo request, id 19580, seq 4, length 1480
22:20:47.426257 IP 192.168.12.101 > 8.8.8.8: ip-proto-1

So why is there no NAT in the second case? Anyone a hint?
And how to get that working?

Thanks
Lukas
« Last Edit: November 01, 2017, 07:29:21 am by grl »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: NAT not working on fragmented packets?
« Reply #1 on: November 01, 2017, 04:02:19 am »
"opening a tunnel and traffic over that tunnel"

What kind of tunnel?  Ipsec, openvpn?

What is the rules you have set to send traffic down the tunnel.  Have you changed the automatic outbound nat rules?  My guess is yes if you setup a tunnel.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline grl

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: NAT not working on fragmented packets?
« Reply #2 on: November 01, 2017, 05:55:55 am »
"opening a tunnel and traffic over that tunnel"

What kind of tunnel?  Ipsec, openvpn?

The original setup is PPPoE but for the test-setup above I removed it. So for 192.168.12.0/24 - [pf-sense-box] - 10.11.38.0/24 its just plain ethernet, MTU 1500 (no MTU set at all, so defaults to 1500.

What is the rules you have set to send traffic down the tunnel.  Have you changed the automatic outbound nat rules?  My guess is yes if you setup a tunnel.

Fot the test I tried it with "Hybrid Outbound NAT" - so using a automatic rule, and with setting a manual Outbound NAT with Protocol any, Source 192.168.12.0/24, Destination any, Address Interface Address.

regards
Lukas

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: NAT not working on fragmented packets?
« Reply #3 on: November 01, 2017, 07:31:06 am »
My pfsense setup is a bit of a mess currently, so I can not easy test this.. But if I find time today I will fire up a VM pfsense and try and duplicate issue your seeing.

edit:  Did I miss a post?  Why do you have it marked [solved] if your still seeing this issue.  If solved what was the solution to why you were seeing this?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline grl

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] NAT not working on fragmented packets?
« Reply #4 on: November 01, 2017, 07:32:23 am »
Found the problem - shame on me, my own fault.

After setting up a second box from scratch and comparing the settings I found that the "Disables the PF scrubbing option" in System / Advanced / Firewall & NAT was set.

I don't know why it was set - but as only I had my fingers on that box it must have been me...

Thanks,

Lukas

[EDIT: Thanks johnpoz, just found the solution the same time you posted your offer to test it.]

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: [SOLVED] NAT not working on fragmented packets?
« Reply #5 on: November 01, 2017, 07:34:09 am »
Ah.. thanks for the update.. Off the top of my head, not sure why it would do that though.. hmmmm.

If had to guess related somehow to this
https://redmine.pfsense.org/issues/4723
« Last Edit: November 01, 2017, 07:38:51 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)