[ previous ] [ next ] [ threads ]
 From:  =?iso-8859-1?Q?S=F8ren_Vanggaard_Jensen?= <svanggaard at hotmail dot com>
 To:  "'Jurgen van Vliet'" <jurgenvv at xs4all dot nl>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] MTU fragmentation problem
 Date:  Thu, 30 Aug 2007 06:31:18 +0200
There's no VLANs defined - nor any pptp tunnels running. This is a simple
setup with a standard wireless accesspoint (bridging) attached to the lan
interface and a number of wireless clients.

The MTU on the LAN side is 1440 and the WAN MTU is 1500. 

When a client tries to get e.g. a webpage the request is sent to the
webserver. The server replies with IP packages with length 1500.

From the firewall log, it seems that monowall generates an ICMP
unreach/needfrag message and tries to send it back to the webserver -
however it blocks its own message!!!

I've had several similar problems in other monowall networks - especially
with windows vista. Lowering the MTU on all interfaces has done the trick
with version 1.22 and version 1.231.

If i lower the MTU on the client everything works as a charm. This is
however not an option since i have several hundred clients alltogether.

Best regards

-----Original Message-----
From: Jurgen van Vliet [mailto:jurgenvv at xs4all dot nl] 
Sent: 29. august 2007 10:21
To: 'Søren Vanggaard Jensen'
Subject: RE: [m0n0wall] MTU fragmentation problem

Tried it with a smaller MTU on the WAN ? perhaps a pptp or vlan adds a few
bytes to the package on the way ?



-----Oorspronkelijk bericht-----
Van: Søren Vanggaard Jensen [mailto:svanggaard at hotmail dot com]
Verzonden: woensdag 29 augustus 2007 10:09
Aan: m0n0wall at lists dot m0n0 dot ch
Onderwerp: [m0n0wall] MTU fragmentation problem

I have a lot of problem regarding MTU and fragmentation in my Monowall
setup. Im currently running version 1.3b4
WAN MTU is default 1500
I see the following in my firewall log:
Time Interface source Destination proto    
09:54:48.343646 WAN MYWANIP SOME WEBSITE, type unreach/needfrag ICMP
I've tried to explicit. allow ICMP on the WAN interface - which does not
make a difference.
Also every rule (LAN/WAN) allows fragmented packages. Any idea whats going
The result is, that some webpages (such as google) are viewable, while
others (such as bbc.com) never shows up.
Do you have any suggestions?