Well, here's an interesting side effect. I can no longer access the m0n0wall through the LAN address through the tunnel.
At home, I'm at 10.53.64.110 The m0n0wall at work is at 192.168.1.1 Before changing the MTU to 1400 on my client machine, I could simply go to 192.168.1.1 in my browser, and the tunnel would connect automatically, but Remote Desktop and SQL didn't work. Now that I've changed the MTU, I can't get to 192.168.1.1, but Remote Desktop and SQL both work. Is this just the nature of the beast? On 10/10/05, Jason Landry <[EMAIL PROTECTED]> wrote: > No, I'm just doing site-to-site with IPSec between a m0n0wall and > pfsense. I made no configuration changes at all on client machines > until the 1400 MTU suggestion. That did the trick. > > > On 10/10/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > > Running PPPoE as the client on Wan? > > > > > > On 10/10/05, Jason Landry <[EMAIL PROTECTED]> wrote: > > > > > > I tried setting the MTU on the WAN interface in pfsense to 1400 but > > > that didn't work. > > > > > > I set the MTU on my desktop machine to 1400...and everything works now > > > - sql & remote desktop. > > > > > > Thanks for the help! > > > > > > Jason > > > > > > On 10/10/05, Chris Buechler <[EMAIL PROTECTED]> wrote: > > > > Fleming, John (ZeroChaos) wrote: > > > > > > > > >I'm guessing we might need to do some mss fixup for ipsec tunnels. > > > > > > > > > > > > > > > > > > and you'd be right. I'm not sure where it breaks down, but PMTUD is > > > > b0rk over IPsec tunnels. Has always been an issue in m0n0wall. I've > > > > looked at it some, but wasn't able to determine anything affirmatively > > > > other than "it's broken". The MSS clamping in IPF in m0n0wall doesn't > > > > differentiate betweeen internet traffic and VPN traffic, and hence > > > > doesn't take into account the overhead of IPsec and doesn't solve the > > > > problem. > > > > > > > > The typical "solution" is to drop the MTU on LAN hosts until it works, > > > > people usually set it at 1400 (as a number that works, should be able to > > > > squeeze more than that). Depending on the characteristics of your > > > > network traffic, this can have a measurable negative impact on network > > > > performance, especially on the LAN with large data transfers. > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
