[ previous ] [ next ] [ threads ]
 
 From:  Reto Buerki <buerki at swiss dash it dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  TLS MTU problem?
 Date:  Fri, 27 Oct 2006 16:35:53 +0200
Hi List

We have a mailserver inside a DMZ. Some mail servers have problems using
our server over TLS. the following is happening on m0n0wall when such a
server tries to init a TLS connection to our postfix in the DMZ:

(sis1 is WAN)

Oct 27 16:14:20 172.24.0.1 ipmon[83]: 16:14:20.260574 sis1 @200:3 b
ROUTERIP -> OURSERVERIP PR icmp len 20 56 icmp unreach/needfrag for
OURSERVERIP,25 - 198.240.213.21,25 PR tcp len 20 1500 K-S IN
Oct 27 16:14:21 172.24.0.1 ipmon[83]: 16:14:20.479537 2x sis1 @200:3 b
ROUTERIP -> OURSERVERIP PR icmp len 20 56 icmp unreach/needfrag for
OURSERVERIP,25 - OTHERSERVERIP,25 PR tcp len 20 1500 K-S IN
Oct 27 16:14:22 172.24.0.1 ipmon[83]: 16:14:21.859346 sis1 @200:3 b
ROUTERIP -> OURSERVERIP PR icmp len 20 56 icmp unreach/needfrag for
OURSERVERIP,25 - OTHERSERVERIP,25 PR tcp len 20 1500 K-S IN
Oct 27 16:14:24 172.24.0.1 ipmon[83]: 16:14:23.700051 sis1 @200:3 b
ROUTERIP -> OURSERVERIP PR icmp len 20 56 icmp unreach/needfrag for
OURSERVERIP,25 - OTHERSERVERIP,25 PR tcp len 20 1500 K-S IN
Oct 27 16:14:27 172.24.0.1 ipmon[83]: 16:14:27.380479 sis1 @200:3 b
ROUTERIP -> OURSERVERIP PR icmp len 20 56 icmp unreach/needfrag for
OURSERVERIP,25 - OTHERSERVERIP,25 PR tcp len 20 1500 K-S IN
Oct 27 16:14:35 m0n0 ipmon[83]: 16:14:34.861370 sis1 @200:3 b ROUTERIP
-> OURSERVERIP PR icmp len 20 56 icmp unreach/needfrag for
OURSERVERIP,25 - OTHERSERVERIP,25 PR tcp len 20 1500 K-S IN
Oct 27 16:14:50 m0n0 ipmon[83]: 16:14:49.584092 sis1 @200:3 b ROUTERIP
-> OURSERVERIP PR icmp len 20 56 icmp unreach/needfrag for
OURSERVERIP,25 - OTHERSERVERIP,25 PR tcp len 20 1500 K-S IN
Oct 27 16:15:19 m0n0 ipmon[83]: 16:15:19.030605 sis1 @200:3 b ROUTERIP
-> OURSERVERIP PR icmp len 20 56 icmp unreach/needfrag for
OURSERVERIP,25 - OTHERSERVERIP,25 PR tcp len 20 1500 K-S IN

the setup is like this:

inet --- [ROUTER] --- [m0n0] ---- [OURSERVER] (in DMZ, OPT1)

The strange thing is that only a few server have problems. could someone
translate the above for me? it seems like there is some problem with the
MTU. I tried to add a firewall rule to allow these kind of traffic to
pass m0n0, but it does not work. the strange thing is, that the [ROUTER]
should not know anything about [OURSERVERIP] since it's NATed at m0n0.
in the logs it looks like ROUTER tries to inform the OURSERVER (with
correct DMZ IP OURSERVERIP) to fragment its packets.

any help is much apreciated!

-thanks
reto