[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Charrua <charrua at kernel dot net dot uy>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ping to LAN interface don't work
 Date:  Fri, 20 Apr 2007 15:18:49 +0200
On 20.04.07 22:02 -0300, Charrua wrote:

> The question is the next, because if I ping the LAN ip(192.168.1.1)
> from an PC connected to the LAN with packets of 1500 bytes the
> router don't response?
> If the ping size is <=1472 the router response.

With most Windows/Unix ping utilities, the size that you specify on
the command line only refers to the ICMP data field size, not the
entire IP packet (the IP+ICMP header add an additional 28 bytes).
Therefore, if you do e.g. a "ping -s 1500", it would actually send an
IP packet of 1528 bytes, which means that it'll have to be
fragmented. This also explains why it worked for you with 1472 bytes,
since 1472 + 28 = 1500.

m0n0wall does not accept fragmented packets by default, as they're
usually not needed and may pose a security risk. You can allow
fragments by editing the corresponding firewall rule and checking the
box next to "Allow fragmented packets". Note that this won't work for
pings destined to m0n0wall itself, unless you also disable the
anti-lockout rule on the "Advanced setup" page.

- Manuel