On 20.04.07 22:02 -0300, Charrua wrote:
> The question is the next, because if I ping the LAN ip(192.168.1.1)
> from an PC connected to the LAN with packets of 1500 bytes the
> router don't response?
> If the ping size is <=1472 the router response.
With most Windows/Unix ping utilities, the size that you specify on
the command line only refers to the ICMP data field size, not the
entire IP packet (the IP+ICMP header add an additional 28 bytes).
Therefore, if you do e.g. a "ping -s 1500", it would actually send an
IP packet of 1528 bytes, which means that it'll have to be
fragmented. This also explains why it worked for you with 1472 bytes,
since 1472 + 28 = 1500.
m0n0wall does not accept fragmented packets by default, as they're
usually not needed and may pose a security risk. You can allow
fragments by editing the corresponding firewall rule and checking the
box next to "Allow fragmented packets". Note that this won't work for
pings destined to m0n0wall itself, unless you also disable the
anti-lockout rule on the "Advanced setup" page.