Bug #10493
open
filter_get_vpns_list() issues
Added by Viktor Gurov over 4 years ago.
Updated over 4 years ago.
Description
1) filter_get_vpns_list() returns only:
IPsec Mobile IPv4 subnet
IPsec site-to-site networks
OpenVPN client/server Tunnel Network / Remote Network IPv4
PPPoE server networks
but not:
IPsec Mobile IPv6 subnet
OpenVPN client/server Tunnel Network / Remote Network IPv6
L2TP VPN network
This is why the Snort/Suricata vpnaddresses option doesn't return a complete list of VPN networks
see https://redmine.pfsense.org/issues/8688
2) Because of filter_get_vpns_list() returns not only IPsec networks, IPsec MSS clamping option will affect unnecessary VPN types.
2) Because of filter_get_vpns_list() returns not only IPsec networks, IPsec MSS clamping option will affect unnecessary VPN types.
There are some people who rely on that behavior, so if it is altered, a means must be added to cover the other cases separately or to preserve the current behavior.
It is probably better to have a different setting for each type of VPN since they may have a different desired MSS value due to differences in overhead for each protocol. If we go that route, however, there should be a master setting to cover all VPNs with the current value.
+ I think it would be better to split "Advanced Firewall” to “Advanced Firewall” and “Packet Processing” sections:
Advanced Firewall:
Disable Firewall
Static route filtering
Disable Auto-added VPN rules
Disable reply-to
Disable Negate rules
Allow APIPA
Aliases Hostnames Resolve Interval
Check certificate of aliases URLs
Packet Processing:
IP Do-Not-Fragment compatibility
IP Random id generation
Firewall Optimization Options
VPN MSS Clamping
Disable Firewall Scrub
Firewall Adaptive Timeouts
Firewall Maximum States
Firewall Maximum Table Entries
Firewall Maximum Fragment Entries
it can also reduce the scope of #7815
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov