I have a lot of problems with m0n0wall regarding packet fragmentation.
About 6 months ago I setup some lan-to-lan ipsec links via m0n0 boxes
at each location then using verson 1.2b<n>.
Almost all locations are connected to the internet via PPPOE links. At first all seemd OK and
working but when I tried to "extend" the MS
AD domain over those ipsec links the errors popped out.
After some debugging I discovered the problem was m0n0 silently
dropping "oversized" packets. The packets are really not oversized but
are greater than the effective MTU on the pppoe link of 1492 bytes. I searched the web, mailing
lists etc but found nothing special. I tried with special firewall rules with "allow fragmented
with no success.
I went back to version 1.1 which was considered stable at the time and
the things started to work (with allow fragmets firewall rules).
I impatiently waited for the new m0n0 version and finally installed it
but... again with same problems. Somehow, I managed to partially fix
this problem (using firewall rules, reduced mtu etc).
Right now, the traffic is flowing if it is initiated from the site
which has "normal" ethernet connectivity to the internet (mtu 1500
bytes). If initiating some ping with packets grater than 1500 bytes
all is working as expected.
if I try to ping from the remote site, which has pppoe connection and
a mtu of 1492 bytes, the packets are getting dropped silently...
Does anybody have any hint / idea / comment on this "fragmentation"
problem with m0n0?
I'm not very familiar with *BSD platforms (I'm more a Linux fan...)
but are there any specifics about packet fragmentation in *BSD
kernels? Maybe some "default security feature" I'm not aware of?