[ previous ] [ next ] [ threads ]
 From:  "Martin Holst" <mail at martinh dot dk>
 To:  "'Falcor'" <falcor at netassassin dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: PPTP MTU problem!
 Date:  Thu, 22 Jan 2004 21:45:59 +0100
Hi again!

Yup, the PPTP is in the same range as LAN - its
PPTP from WAN -> LAN is no problem. Seems it compensates for the MTU here.

The problem is DEFINITELY MTU-related! (as the log shows)
I don't get why MTU on PPTP-interface is 1396 - is this not a mistake?

See the log where a "icmp unreach/needfrag" is returned for a 1400 bytes

12:17:10.297090 ed0 @-1:-1 p 80.196.xxx.xxx -> 129.142.xxx.xxx PR icmp len
20 56 icmp unreach/needfrag for 129.142.xxx.xxx,80 - 80.196.xxx.xxx,5264 PR
tcp len 20 1400 K-S K-F OUT 

12:17:10.296974 ng1 @0:23 p 129.142.xxx.xxx,80 -> 192.168.xxx.xxx,3484 PR
tcp len 20 1400 -A K-S K-F OUT


-----Original Message-----
From: Falcor [mailto:falcor at netassassin dot com] 
Sent: 22. januar 2004 14:12
To: Martin Holst
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: PPTP MTU problem!

Just to make sure:  Is your PPTP IP range (the range it issues PPTP 
clients) part of the same range you use for your LAN network(s)?

E.g. LAN =

Can your PPTP from the WAN access LAN computers/servers?
(sounds likt this probably isn't your problem, but just making sure.)

If this is an MTU issue.. then ewww, i dunno how to change it.  ;)   
 Can you test your PPTP from a digital connection to check?  

Martin Holst wrote:

>Probably a simple question, but I haven't been able to find anything in the
>PPTP-guide or on the lists.
>m0n0wall has two inside NICs: LAN for server/wired clients and DMZ for
>For security reasons access from DMZ to LAN is restricted to PPTP - this is
>working flawlessly.
>WAN access through the PPTP is a another issue however :o(
>The routing is fine - the problem is MTU related.
>WAN is routed Ethernet with MTU 1500 - but PPTP is PPP with MTU 1396.
>I have set m0n0wall to log anything coming through PPTP-interface, and I
>see that 1400byte-packets are coming in on the PPTP-interface from the web
>servers I try to access.
>m0n0wall sends an "icmp unreach/needfrag" back - to no avail.
>Does anyone know a way around this?
>...IPSec is probably better, but PPTP was SO easy to setup on win2003 ;o)