Traffic normalization protects internal machines against inconsistencies in Internet protocols and implementations. OPNsense has some generic options to normalize some packets on a per interface basis, in some cases more detailed changes are needed, for which custom rules can be configured.

By default (when Disable interface scrub is not set), all interfaces are scrubbed for all traffic, with fragment reassemble enabled and max-mss set when specified in MSS on the interface.


Some protocols, such as NFS, require specific fragment handling options, which my require specific options set like IP Do-Not-Fragment*


Normalization rules use the same kind of matching as normal firewall rules, which we are not going to detail here. When matched, some different options can be set.


When rules overlap, the first matching rule wins, hence per interface options are sorted after user configurable ones.

Max mss Enforces a maximum MSS for matching TCP packets. Can also be configured on the interface as general rule.
TOS / DSCP Enforces a TOS/DCP for matching IP packets.
Minimum TTL Enforces a minimum TTL for matching IP packets.
Do not fragment Clears the dont-fragment bit for a matching IP packet, which disables IP fragmentation when set.
Random ID Replaces the IP identification field with random values to compensate for predictable values generated by many hosts. This option only applies to packets that are not fragmented after the optional fragment reassembly.