Bug #14371
Updated by Marcos M over 1 year ago
Tested on @23.01@. pfSense itself does not respond to UDP traceroutes when it receives the request over IPsec (both policy/routed tunnels tested, as well as with pf disabled). tested). In the following example, traceroute is run from a LAN client behind siteA to the LAN interface address of siteB. <pre> ### siteA client [22.01-DEVELOPMENT][root@sitea-lanhost.lab.arpa]/root: traceroute -n -I 192.168.1.1 traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 48 byte packets 1 172.19.1.1 0.337 ms 0.106 ms 0.174 ms 2 192.168.1.1 0.684 ms 0.607 ms 0.531 ms [22.01-DEVELOPMENT][root@sitea-lanhost.lab.arpa]/root: traceroute -n 192.168.1.1 traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 40 byte packets 1 172.19.1.1 0.283 ms 0.185 ms 0.189 ms 2 * * * 3 * *^C ### siteB firewall [23.01-RELEASE][root@siteb-fw1.lab.arpa]/root: ifconfig vmx1 vmx1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: LAN options=4e000bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:50:56:b2:00:fe inet6 fe80::250:56ff:feb2:fe%vmx1 prefixlen 64 scopeid 0x2 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> [23.01-RELEASE][root@siteb-fw1.lab.arpa]/root: tcpdump -ni enc0 'host 172.19.1.4' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes 19:01:30.681093 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 4, length 28 19:01:30.681173 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 4, length 28 19:01:30.681567 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 5, length 28 19:01:30.681586 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 5, length 28 19:01:30.682120 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 6, length 28 19:01:30.682142 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 6, length 28 19:01:34.226850 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33438: UDP, length 12 19:01:39.310089 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33439: UDP, length 12 19:01:44.388844 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33440: UDP, length 12 ^C 9 packets captured 242 packets received by filter 0 packets dropped by kernel </pre> Traceroutes to other clients on the siteB LAN work fine.