A Linux bridge is a software bridge that connect two network segments together. Packets are forwarded based on Ethernet address just like any physical network switch.
This article is going to discuss about Linux Bridge not forwarding fragmented packets on some occasions and how we are going to fix those issues.
PFSense Firewall Quick Fix
If you happened to deploy PFSense as your transparent firewall you might be facing fragmented packets being dropped silently. (At least I spent countless days trying to find out why my fragmented packets from my server farm were being dropped ).
Under System -> Advance You will find the tabs shown. Click Firewall / NAT and apply the following options.
First is the “Clear invalid DF bits instead of dropping the packets” check box.This will allow communication with hosts the generate fragmented packets with the don’t fragment bit set.
Firewall Optimization Options to conservative mode – This will cause PFSense to try to avoid dropping any legitimate connections at the cost of increased memory usage and CPU utilization.
- Disable Firewall Scrubbing.
In some deployment such as Openstack where our VM MTU’s size had to be lowered due to VXLAN (50 bytes) or GRE (24 bytes) Tunneling TCP overhead unless your infrastructure support Jumbo Frames (MTU 9000).
This can cause undesirable impact when our fragmented packets are being dropped silently.
Usually adding the following may solve the problem but on some cases the new configuration failed to persist from a server reboot as those settings were loaded way too early. (E.g. Openstack Nova Compute )
net.bridge.bridge-nf-call-arptables = 0 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0
Alternative workaround is to add the following commands to rc.local. Here we add 30 seconds sleep (You can try reducing it to 20 or 10 seconds whichever settings work for you.) to give the system more time to load up all necessary modules before applying netfilter settings.
sleep 30 echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables echo 0 > /proc/sys/net/bridge/bridge-nf-call-arptables echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables