[ previous ] [ next ] [ threads ]
 
 From:  "Mauricio Culibrk" <Mauricio dot Culibrk at infohit dot si>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Problems with packet fragmentation over pppoe
 Date:  Tue, 17 Jan 2006 15:10:43 +0100
Hi!

I have a lot of problems with m0n0wall regarding packet fragmentation. 
About 6 months ago I setup some lan-to-lan ipsec links via m0n0 boxes 
at each location then using verson 1.2b<n>.
Almost all locations are connected to the internet via PPPOE links. At first all seemd OK and
working but when I tried to "extend" the MS 
AD domain over those ipsec links the errors popped out.
After some debugging I discovered the problem was m0n0 silently 
dropping "oversized" packets. The packets are really not oversized but 
are greater than the effective MTU on the pppoe link of 1492 bytes. I searched the web, mailing
lists etc but found nothing special. I tried with special firewall rules with "allow fragmented
packet" etc 
with no success.
I went back to version 1.1 which was considered stable at the time and 
the things started to work (with allow fragmets firewall rules).

I impatiently waited for the new m0n0 version and finally installed it 
but... again with same problems. Somehow, I managed to partially fix 
this problem (using firewall rules, reduced mtu etc).
Right now, the traffic is flowing if it is initiated from the site 
which has "normal" ethernet connectivity to the internet (mtu 1500 
bytes). If initiating some ping with packets grater than 1500 bytes 
all is working as expected.
BUT
if I try to ping from the remote site, which has pppoe connection and 
a mtu of 1492 bytes, the packets are getting dropped silently...

Does anybody have any hint / idea / comment on this "fragmentation" 
problem with m0n0?
I'm not very familiar with *BSD platforms (I'm more a Linux fan...) 
but are there any specifics about packet fragmentation in *BSD 
kernels? Maybe some "default security feature" I'm not aware of?

Kind regards,
Mauricio