I have noticed some odd behaviour with ICMP and 1.2B9 that I don't fully understand. It seems that
the handling of fragmented ICMP packets (in particular I've been testing pings) is inconsistent.
If I ping the LAN address of the monowall (e.g. ping -l 1500) get no response. If I ping the WAN
address I do get a response. With 1.2B3 I was able to ping the LAN address with whatever size ping
packet I tried.
From the LAN, if I ping a host on the Internet (that responds OK from other hosts) I sometimes get a
response, but more normally I get a drop in the monowall's log:
Sep 6 09:26:41 firewall-hv ipmon: 09:26:41.071622 fxp1 @200:1 b 220.127.116.11 -> 10.111.32.127
PR icmp len 20 (48) (frag 20834:28@1480) K-S K-F IN
I also see from previous posts that there has been issue with large ping packets being dropped over
IPSEC VPNs. I tried creating a VPN between the monowall and a Checkpoint NG firewall which actually
works for normal traffic. However, whilst hosts behind the monowall were able to ping hosts behind
the Checkpoint with large pings, the reverse wasn't true.