CFP drops VPN or SSH packets from Liunux router without logging
There have been several reports of dropped VPN or SSH connections, routed via a Linux based router, with no logs entries being created for the dropped connections.
A forum member (fmverv) has determined the root cause is that CFP does not correctly handle packets that have Explicit Congestion Notification (ECN) enabled. He has documented the issue and the solution as follows;
CFW 188.8.131.524 and earlier drops incoming connections that originate from my linux based router. Forwarded incoming connections are usually OK. This means that connections tunneled through SSH or VPN on the router get dropped by the PC running CFW on my home network.
CFW apparently drops incoming connections that have Explicit Congestion Notification (ECN) enabled.
The connections appear to be dropped before the incoming packets even reach the Global Rules so you never get a log entry that packets are being dropped.
ECN allows a router to notify a sending system that it is experiencing congestion so the sending system backs off before the congestion gets bad enough that the router starts dropping packets.
There is a good article on ECN at: The Cable Guy - October 2006 | Microsoft Learn
Basically, when an ECN capable system initiates a TCP connection, it sets SYN, ECN, & CWR flags in the TCP header.
If the target is ECN capable, it replies with SYN, ACK, ECN. If it isn’t ECN compliant, then it just replies with SYN, ACK.
I have loaded 3rd party firmware (dd-wrt) onto my router. It’s linux based and uses the version 2.4 kernel. The router firmware supports ECN and has it enabled by default. Windows prior to Vista does not support ECN, Vista supports it, but it is disabled by default.
In the linux 2.4 kernel, ECN can be disabled with the following command:
echo “0” > /proc/sys/net/ipv4/tcp_ecn
(This is what I used on my Linux based router. Command syntax for other variants of router O/S kernel may vary.)
If you experience this issue try placing the above command in your startup script.
After disabling ECN, incoming connections from the router work properly!!!
Many thanks to fmverv for his persistence in tracking down both the cause and the solution.
N.B. Minor spelling, grammar and style changes have been applied to fmverv’s original posting