Project

General

Profile

Bug #10493

filter_get_vpns_list() issues

Added by Viktor Gurov 3 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
04/23/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.5
Affected Architecture:

Description

1) filter_get_vpns_list() returns only:
IPsec Mobile IPv4 subnet
IPsec site-to-site networks
OpenVPN client/server Tunnel Network / Remote Network IPv4
PPPoE server networks

but not:
IPsec Mobile IPv6 subnet
OpenVPN client/server Tunnel Network / Remote Network IPv6
L2TP VPN network

This is why the Snort/Suricata vpnaddresses option doesn't return a complete list of VPN networks
see https://redmine.pfsense.org/issues/8688

2) Because of filter_get_vpns_list() returns not only IPsec networks, IPsec MSS clamping option will affect unnecessary VPN types.

History

#1 Updated by Jim Pingle 3 months ago

2) Because of filter_get_vpns_list() returns not only IPsec networks, IPsec MSS clamping option will affect unnecessary VPN types.

There are some people who rely on that behavior, so if it is altered, a means must be added to cover the other cases separately or to preserve the current behavior.

It is probably better to have a different setting for each type of VPN since they may have a different desired MSS value due to differences in overhead for each protocol. If we go that route, however, there should be a master setting to cover all VPNs with the current value.

#2 Updated by Viktor Gurov 2 months ago

This fix allows you to select for which VPN types / IP proto do MSS clamping:
https://github.com/pfsense/pfsense/pull/4299

it also allow to resolve https://redmine.pfsense.org/issues/8013

#3 Updated by Viktor Gurov 2 months ago

+ I think it would be better to split "Advanced Firewall” to “Advanced Firewall” and “Packet Processing” sections:

Advanced Firewall:
Disable Firewall
Static route filtering
Disable Auto-added VPN rules
Disable reply-to
Disable Negate rules
Allow APIPA
Aliases Hostnames Resolve Interval
Check certificate of aliases URLs

Packet Processing:
IP Do-Not-Fragment compatibility
IP Random id generation
Firewall Optimization Options
VPN MSS Clamping
Disable Firewall Scrub
Firewall Adaptive Timeouts
Firewall Maximum States
Firewall Maximum Table Entries
Firewall Maximum Fragment Entries

#4 Updated by Viktor Gurov 2 months ago

it can also reduce the scope of #7815

Also available in: Atom PDF