[ previous ] [ next ] [ threads ]
 From:  =?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
 To:  taharka <res00vl8 at alltel dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPPoE - MTU Problem
 Date:  Fri, 24 Jun 2005 15:36:48 +1000
On 6/24/05, taharka <res00vl8 at alltel dot net> wrote:
> Marcelo Webber wrote:
> > Dear Friends,
> >
> > I'm using WAN PPoE Connection, and have set the MTU in 1440.
> >
> > But in System Log I've found the following messages:
> >
> > Jun 21 18:17:14 mpd: [pppoe] setting interface ng0 MTU to 1492 bytes
> > Jun 21 18:24:21 mpd: [pppoe] up: 1 link, total bandwidth 64000 bps
> >
> > Does someone has tested changing PPoE and succeded in getting a
> > different value?
> >
> Yep, a long time ago, I changed the ng0 MTU to 1500. Change it back to
> the original value real quick, as frequent disconnects from my ISP
> started occurring :-(
> > I've tried 1.2B3, 1.2B8 & 1.2B9, and got always the same message.
> >
> Any particular reason for changing that value other than just being curious?

Agreed - unless it's for research purposes, then it's not to his
advantage to change it from 1492 (which is correct for your PPPoE
connection).  Making it bigger will break some things since every
packet larger than 1492 bytes will be fragmented and since m0n0 blocks
fragments by default, you were cutting yourself off :) for those

Making it smaller will just make packets larger than the smaller value
again be fragmented - unless you tick the allow fragments box, then
again those packets will be blocked by default.

Ticking the allow fragments box should resolve the connection issues. 
However, it's really only a part of the solution, since the remote
side may have been sending you ICMP type 3 code 4 but m0n0 was
blocking these.

No doubt you have everything blocked on the external interface - I
wonder if m0n0 should consider the following:

"You can protect your network from attack by implementing three simple
network rules:

    * Allow ping—[I]CMP Echo-Request outbound and Echo-Reply messages inbound.
    * Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound.
    * Allow path MTU—ICMP Fragmentation-DF-Set messages inbound."
(gratuitously borrowed from

which follows on from a great quote from des on security at freebsd dot org
which can be found here at the top of the list:


where he says:
"Third - if you set up ipfw to unconditionally block ICMP (whether in
the mistaken belief that it will prevent route tracing or for some
other lameass reason), I will personally buy a very heavy baseball
bat, hop on a plane, and pay you a visit you'll remember for the rest
of your very short lives. Although some ICMP types are admittedly not
very useful, that doesn't mean none of them are, and you should at the
very least let types 3 and 11 through or you'll be very sorry. I
usually set up my filters to let 0, 3, 8 and 11 through and block
everything else."

A feature request perhaps? Or just a FAQ entry maybe.