🧭 1. What is Packet Normalization?
In OPNsense, Firewall Normalization (or “scrubbing”) is a low-level packet filtering feature
implemented by the pf firewall engine, which cleans, verifies, and adjusts packets before they are processed by rules.
Its main purposes are:
- Correct or drop malformed packets;
- Reassemble fragmented packets;
- Prevent fragmentation-based evasion attacks;
- Improve protocol compliance and consistency.
You can find it under:
Firewall → Settings → Normalization
⚙️ 2. How It Works
When a packet passes through the firewall, pf performs a scrub operation:
checking headers, fixing anomalies, and normalizing flow behavior.
Common scrub actions:
| Action | Description |
|---|---|
| reassemble tcp | Reassemble fragmented TCP packets to prevent evasion. |
| random-id | Randomize IP packet ID to avoid traffic fingerprinting. |
| min-ttl 64 | Enforce minimum TTL to prevent early packet drop. |
| max-mss 1460 | Cap the TCP segment size to ensure link compatibility. |
| no-df | Remove “Don’t Fragment” flag, allowing reassembly when needed. |
🧩 3. Normalization Options
| Option | Description |
|---|---|
| Disable packet reassembly | Disables reassembly; not recommended unless performance is critical. |
| Randomize ID | Obfuscates host activity by randomizing IP IDs. |
| Min TTL | Minimum allowed TTL (e.g., 64). |
| Max MSS | Limits TCP segment size (commonly 1460). |
| No-df | Allows fragmentation even if DF flag is set. |
| Adaptive timeouts | Dynamically adjusts timeouts for high-load conditions. |
🧠 4. Use Cases
1️⃣ Prevent Fragmentation Attacks
Some exploits use small, fragmented packets to bypass IDS/IPS.
Reassembly ensures packets are unified and inspected correctly.
2️⃣ Fix MTU / VPN Issues
Setting Max MSS = 1460 avoids oversized packets from breaking through smaller-MTU links like PPPoE or VPN tunnels.
3️⃣ Enhance PrivacyRandomize ID hides host behavior from remote fingerprinting attempts.
4️⃣ Increase Connection ReliabilityMin TTL = 64 helps maintain connectivity across multiple routing hops.
⚙️ 5. Example Configuration
For WAN interface normalization:
| Interface | Option | Value |
|---|---|---|
| WAN | Enable reassembly | ✅ Enabled |
| Randomize ID | ✅ Enabled | |
| Min TTL | 64 | |
| Max MSS | 1460 | |
| No-df | ✅ Enabled |
Equivalent CLI command:
scrub on em0 reassemble tcp random-id min-ttl 64 max-mss 1460 no-df
🧩 6. Recommended Practices
| Scenario | Suggested Settings |
|---|---|
| General corporate network | reassemble tcp + random-id + min-ttl=64 |
| VPN users | add max-mss 1400–1420 |
| High-performance servers | disable reassembly if CPU-bound |
| High-security environment | enable random-id + no-df |
✅ 7. Summary
Packet Normalization is a powerful and often overlooked feature that
protects your network from protocol irregularities and packet-based attacks.
By enforcing consistent packet structure before filtering,
it greatly enhances both security and stability of your OPNsense firewall.
Always keep it enabled unless you have a specific performance reason not to,
and tune MSS/TTL based on your environment.