Project

General

Profile

Bug #4723

Updated by Chris Buechler about 9 years ago


 I have a use case where I couldn't forward UDP fragmented packets thru a site to site OpenVPN tunnel. The issue isn't linked to OpenVPN itself but solely to the fact that scrubbing is applied on outgoing traffic.  

 Here's what happen: 

 1) Fragments are entering LAN interface 
 2) Scrub applies and fragments are reassembled  
 3) The firewall can process the reassembled packet 
 4) The kernel fragments the packet again so it can escape thru any other interface... (vpn, opt, wan..etc..) 
 5) The scrub out reassemble the packet 
 6) The packet is too big to escape the interface so it is dropped. 


 I managed to fix this bug by replacing "scrub on" by "scrub in on" in /etc/inc/filter.inc. Anyway, is there a need (beside random-id) to do scrubbing for outgoing traffic? Maybe it could be possible to disable scrub out when it's not TCP? Any other idea? 

 I think this bug wasn't present on 2.0.0. 


 Thank you! 
 

Back