|
||||||||
Chris Buechler wrote: > On 4/15/06, Raylund Lai <raylund dot lai at kankanwoo dot com> wrote: > >> Here I got one of the logs which when the user at 70.55.224.22 tried to >> access my http service. The server that holds the http is at >> 192.168.0.21. I've open port/nat/server-nat/outbound-nat all together >> that were working for about half year. >> >> [X] 16:03:08.498773 WAN 70.55.224.22 192.168.0.21, type >> unreach/needfrag ICMP >> >> > > That was blocked? ICMP return traffic from an existing state should > be permitted. That's a ICMP unreachable, fragmentation needed but DF > bit set message, it appears. i.e. your server tried to send a packet > larger than some MTU along the path to that client machine. > I haven't particular block anything. I found out this log entry is due to the user who was using vpn connected to other office and forgot to disconnect before browsing into my web service. > Try lowering your server's MTU to 1400 and see if the problem still > exists. Also make sure your m0n0wall's WAN MTU is set correctly for > your connection. > This really gave me the clue. :) I lowered m0n0wall's mtu to 1400 and everything seemed to go back to normal. I hope this is the reason. Since the problem is intermittent, this may be not showing for a whole day. But it's weird that I have no problem at all browsing/downloading from internet behind m0n0wall. Only happened on users accessing my services outside m0n0wall. Thanks Chris. :) Cheers Raylund > -Chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |