https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162020-01-17T07:47:44ZpfSense bugtrackerpfSense - Bug #10189: pfsense calculates wrong ip header checksum when reassambling packages with different mtuhttps://redmine.pfsense.org/issues/10189?journal_id=442392020-01-17T07:47:44ZJim Pingle
<ul><li><strong>Category</strong> changed from <i>Routing</i> to <i>Interfaces</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>You'll need to try reproducing that on bare FreeBSD (and FreeBSD+pf) -- Odds are that isn't caused by anything specific to pfSense, so it needs to be raised upstream. If it works OK on FreeBSD+pf and not an equivalent version of pfSense, then it's something we can look into.</p> pfSense - Bug #10189: pfsense calculates wrong ip header checksum when reassambling packages with different mtuhttps://redmine.pfsense.org/issues/10189?journal_id=442602020-01-20T03:21:39ZStefan Mark
<ul></ul><p>I tried to reproduce this with different freebsd versions:<br />- 13.0 : OK<br />- 11.2 : Fails<br />- 9.3 : OK</p>
<p>It seems that a bug was introduced between 9.3 -> 11.2 and fixed between 11.2 -> 13.0.</p>
<p>Here the steps i did on freebsd system (live system):<br />ifconfig em0 10.0.0.1/24<br />ifconfig em1 10.1.0.1/24<br />service pf onestart<br />service pflog onestart<br />echo "scrub in all" > /tmp/pf<br />pfctl -e<br />pfctl -f /tmp/pf<br />sysctl net.inet.ip.forwarding=1</p>
<p>I hope this will help you to find the bug and fix it in next pfsense release.</p> pfSense - Bug #10189: pfsense calculates wrong ip header checksum when reassambling packages with different mtuhttps://redmine.pfsense.org/issues/10189?journal_id=442622020-01-20T06:38:13ZJim Pingle
<ul></ul><p>Have you also tried on pfSense 2.4.5 and 2.5.0 snapshots to see if it persists there as well?</p> pfSense - Bug #10189: pfsense calculates wrong ip header checksum when reassambling packages with different mtuhttps://redmine.pfsense.org/issues/10189?journal_id=442642020-01-20T07:04:52ZStefan Mark
<ul></ul><p>No, i haven't tried these versions yet and currently don't have time to do more investigation.<br />If 2.4.5 becomes stable we'll update of our pfsense firewalls and I'll be able to check if the bug is fixed.</p>
<p>When looking into release notes of 2.4.5 I don't see anything that may correct the error, but following 2 points in release notes of 2.4.4 (<a class="external" href="https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-new-features-and-changes.html">https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-new-features-and-changes.html</a>) may have introduced the bug:<br /><a class="external" href="https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc">https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc</a><br /><a class="external" href="https://www.freebsd.org/security/advisories/FreeBSD-SA-18:10.ip.asc">https://www.freebsd.org/security/advisories/FreeBSD-SA-18:10.ip.asc</a></p> pfSense - Bug #10189: pfsense calculates wrong ip header checksum when reassambling packages with different mtuhttps://redmine.pfsense.org/issues/10189?journal_id=442652020-01-20T07:24:45ZJim Pingle
<ul></ul><p>If it's fixed in 13, there is a possibility that the fix was MFCd from 13 to 12-STABLE and back to 11-STABLE. 2.4.5 is built from 11-STABLE at a point after 11.3, so if the fix was brought back that far, it may be included.</p> pfSense - Bug #10189: pfsense calculates wrong ip header checksum when reassambling packages with different mtuhttps://redmine.pfsense.org/issues/10189?journal_id=443342020-01-25T06:42:27ZDanilo Zrenjanin
<ul></ul><p>I replicated the issue on SG-1100 2.4.4-p3, following the steps from the description. Ping was failing when the packet size was set to 1450 (ping <ip of B> -s 1450) and host A MTU was set to 1400. Host A and host B were connected to different interfaces (no VLANs).</p>
<p>After upgrade to 2.4.5-DEVELOPMENT, ping started to work using the same setup!</p> pfSense - Bug #10189: pfsense calculates wrong ip header checksum when reassambling packages with different mtuhttps://redmine.pfsense.org/issues/10189?journal_id=443372020-01-25T08:57:40ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li><li><strong>Target version</strong> set to <i>2.4.5</i></li></ul><p>Great, so it looks like the issue is resolved in FreeBSD. I'll close this for now.</p>