On 4/15/06, Raylund Lai <raylund dot lai at kankanwoo dot com> wrote:
> Here I got one of the logs which when the user at 220.127.116.11 tried to
> access my http service. The server that holds the http is at
> 192.168.0.21. I've open port/nat/server-nat/outbound-nat all together
> that were working for about half year.
> [X] 16:03:08.498773 WAN 18.104.22.168 192.168.0.21, type
> unreach/needfrag ICMP
That was blocked? ICMP return traffic from an existing state should
be permitted. That's a ICMP unreachable, fragmentation needed but DF
bit set message, it appears. i.e. your server tried to send a packet
larger than some MTU along the path to that client machine.
Try lowering your server's MTU to 1400 and see if the problem still
exists. Also make sure your m0n0wall's WAN MTU is set correctly for