pfSense

Example, ticket 23040

Steve Wheeler wrote:

In some circumstances traffic crossing an OpenVPN site-to-site tunnel with packets larger that the local network MTU can fail to fragment correctly leaving the local interface.

Traffic is fragmented correctly crossing the tunnel in either direction so if you hit this issue you will be able to, for example, ping with large packets a remote pfSense LAN interface IP but not anything else on that LAN subnet.

A work-around for this issue is to assign and enable the OpenVPN interface at the failing end. After that pf will add rules to that traffic and fragment packets correctly.

Hi Steve,

It seems that problem goes beyond OpenVPN. With disabled Open VPN and enabled direct routing MTU problem still exist on pfsense firewall that were installed with version prior to 2.3.3 and then were upgraded to last ver.

Workaround it seems worked in lab, but did not in production.

Ping probes from inside interface toward remote site were delivered fine and replied, but when packet is sent from system connected to pfsense, packets with mtu over 1470 get dropped.

We were able to disprove the situation with OpenVPN disabled. The initial description still holds.

see also #7801