Zum Hauptinhalt springen

Bug Report: Toxic Frame on Netgate SG-2100

Autor
Stylite AG
Spezialisten in ZFS storage solutions, security. Docker containerization for enterprise environments.
Inhaltsverzeichnis

Bug Report: Toxic Frame on Netgate SG-2100
#

Hardware: Netgate SG-2100
Software: pfSense 2.7.x
Date: 2025-10-31
Reporter: Stylite AG
Severity: Critical (Hardware-related packet drop)

Summary
#

A reproducible hardware bug causes file transfers to abort deterministically at exactly 49% (ca. 95 MB of 195 MB) when transferring specific byte patterns over SMB or HTTP through the Netgate SG-2100. The issue occurs in the integrated Marvell 6000 Switch hardware and is independent of VLAN configuration, routing, or firewall rules.

For detailed analysis and debugging steps, see the full article: Toxic Frame on Netgate SG-2100: 49% and Not a Byte Further

Affected Hardware
#

  • Model: Netgate SG-2100
  • CPU: Dual-core ARM Cortex-A53
  • NIC: Marvell 88E6141 (mvneta driver)
  • Affected Interface: mvneta1
  • Switch: Marvell 6000 Switch
  • pfSense Version: 2.7.x

Symptom
#

File transfers abort deterministically at exactly 49% of the file size when transferring stdww2.cab (195 MB) or the extracted toxic byte pattern. The transfer stops without error messages, logs, or network protocol errors (no FIN/RST packets). The behavior is reproducible across multiple protocols (SMB, HTTP, FTP) and network topologies (IPsec tunnels, VLAN-to-VLAN on internal switch, direct Ethernet).

Reproduction Steps
#

  1. Set up Netgate SG-2100 with LAN port connected to integrated Marvell 6000 Switch
  2. Download toxic.bin from http://toxicframe.stylite-live.net/toxic.bin
  3. Transfer toxic.bin over HTTP or SMB through the SG-2100
  4. Transfer aborts at exactly 49% (ca. 95 MB)

Control test: Transfer nontoxic.bin (http://toxicframe.stylite-live.net/nontoxic.bin ) – transfers successfully without issues.

Technical Details
#

Byte Pattern
#

The problematic byte pattern is located at offset 49% (ca. 95 MB) in stdww2.cab. Extracted sector:

dd if=stdww2.cab bs=1024 skip=99989 count=1 of=toxic.bin

SHA256 hash of toxic.bin:

c53442b8ebc2631d4326fb70cdcc62a5c452674ed306d31120235fc180cfd499

Packet Capture Analysis
#

PCAP dumps show:

  • Transfer stops abruptly without FIN/RST packets
  • Last ACK packet is never answered
  • Frame contains the toxic byte pattern in the payload
  • No corresponding log events on the firewall

PCAP dump files:

Isolation Results
#

Problem occurs:

  • With and without VLAN configuration
  • Over IPsec tunnels
  • Over VLAN-to-VLAN on internal switch
  • Over direct Ethernet connections
  • With different clients
  • Over different protocols (SMB, HTTP, FTP)
  • At different times and loads
  • Across different pfSense versions (2.7.x)

Problem does NOT occur:

  • On other firewall manufacturers
  • With other files of similar size/structure
  • With nontoxic.bin (random bytes)

Conclusion: The issue is hardware-related and occurs specifically in the Marvell 6000 Switch when the LAN port of the SG-2100 is involved in the data path.

Root Cause Analysis
#

The bug indicates a hardware-level packet drop in the Marvell 6000 Switch when processing a specific byte pattern. The deterministic behavior (always at 49%, always the same byte pattern) suggests a hardware defect or firmware bug in the switch’s packet processing logic.

The issue is independent of:

  • VLAN configuration
  • Routing rules
  • Firewall rules
  • Protocol (SMB, HTTP, FTP)
  • Network topology

Impact
#

  • Critical file transfers may fail silently
  • No error messages or logs indicate the problem
  • Difficult to diagnose (requires binary analysis)
  • Affects any file containing the toxic byte pattern at the problematic offset

Workaround
#

Route critical transfers over alternative hardware or network paths that do not involve the SG-2100’s LAN port and integrated Marvell 6000 Switch.

Requested Action
#

  1. Investigate the Marvell 6000 Switch packet processing logic for this specific byte pattern
  2. Review driver handling (mvneta) for the affected interface
  3. Provide firmware fix or hardware replacement procedure
  4. Confirm if other SG-2100 units are affected

Related Issues#

A similar issue was reported in the pfSense community four years ago without resolution:

Test Files
#

Contact
#

Stylite AG
CTO: Wim Bonis
Email: office@stylite.de

Note: This bug report is based on extensive testing over several days, including binary analysis, packet captures, and systematic isolation of variables. The issue is 100% reproducible with the provided test files.

Verwandte Artikel

Toxic Frame auf Netgate SG-2100: 49% und kein Byte weiter
Wim Bonis
Toxicframe PfSense Netgate Firewall Switch SMB Debugging Network
S2N Konferenz 2025: Digitale Souveränität und Cyber-Resilienz im Fokus
Wim Bonis
Matteo Keller
News Storage Security Cloud
ZFS Snapshot-Replikation in TrueNAS SCALE: Remote Backup mit Push und Pull
Wim Bonis
Storage ZFS TrueNAS Backup Replikation
Open Source im Unternehmen: Digitale Souveränität, Chancen und Verantwortung
Matteo Keller
Open Source Security Tools
Was ist ZFS eigentlich – und warum reden alle darüber?
Matteo Keller
Storage ZFS TrueNAS
Best Practices mit ZIL/SLOG: Praxisentscheidungen statt Mythen (Teil 4)
Wim Bonis
Storage ZFS Performance
ZIL und SLOG in ZFS: Architektur, Wirkung, Risiken (Teil 3)
Wim Bonis
Storage ZFS Performance
ZFS L2ARC: Wann er sinnvoll ist und wie man ihn bewertet (Teil 2)
Wim Bonis
Storage ZFS Performance
ZFS ARC mit Prefetch: Funktionsweise und Tuning (Teil 1)
Wim Bonis
Storage ZFS Performance