[ previous ] [ next ] [ threads ]
 
 From:  Michael Monaghan <mmonaghan at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  slester at gol dot com
 Subject:  Re: [m0n0wall] I want my CNN. Monowall doesn't let me!
 Date:  Thu, 11 Nov 2004 00:14:09 -0500
Stuart,

I don't know if you'll catch this answer so far after the post but
maybe it will serve someone else.

The situation you described is normal.  A 1414 MTU is a bit low so I'd
venture to guess that your ISP is using several options of PPPoE and
consuming more overhead than normal or there's a double tunnel here
(maybe PPTP on PPPoE) although the math doesn't support that.  Most of
our installations run MTU at 1472 for PPPoE or 1500 for most DSL/Cable
systems.

What's happening is something is fragmenting the packets because the
far end is sending back full sized packets that won't fit down your
pipe from the ISP.  The m0n0 by default doesn't accept fragmented
packets so it is dropping them per design.  Something is not
respecting your MTU until it drops really low.  You might have
something funny like PPTP over PPPoE eating up the "real" MTU of your
connection.  It also might be mis-configured equipment along the path
from you to CNN.  A lot of routers use hacks to mask this situation.

This is usually due to a misconfiguration in equipment or something
along the way is digesting and retransmitting your packets.  It is
usually easier to go with the flow and set the MTU accordingly.  You
can spend a lifetime looking for the source. A proper MTU will result
in higher throughput so it is the preferred course of action. 
Fragments will result in a higher overhead since there will be more
bytes dedicated to the packet envelopes that could go to data.  If it
really bothers you hire a consultant well versed in network protocols
who can look at the problem and prove where it is.

Mike

On Tue, 5 Oct 2004 00:12:02 +0900, Stuart Lester <slester at gol dot com> wrote:
> Hello,
> 
> This is my first post to this list, I am a mono-newbie, (a mewbie).
> 
> I just installed monowall 1.1 on a WRAP.
> 
> I have two PCs on LAN using monowall to access the Internet via PPPoE using
> optical fibre with modem
> So far so good, websites work, PPTP works, FTP, mail all fine and
> then...........CNN
> I try to access www.cnn.com, and can't. Browser displays error page
> 
> I discover that if I either:
> 
> a)       Set MTU to 1414 in the WAN screen
> or
> b)       Set the Allow fragmented packets option on the firewall rule
> 
> It seems to work.
> 
> Which is the preferred method (a) or (b) to fix the problem and why does
> this happen only to CNN (it appears).
> Does CNN have so much news that their packets are to big?
> It is not a client problem as PCs worked previously and it is reproducible.
> I have never seen this problem before.
> Any advice gratefully accepted
> 
> Thanks & Best Regards
> 
> stu
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>