I access SQL, RDP and many other items through my ipsec tunnel and I never change the MTU on the client. Thats a bad idea. The solution is to find out why the packets are getting frag'd. Active directory traffic does not work across my IPSEC tunnell but RDP and friends surely do. I would say there is something else causing the fragmentation. Another router before the pfSense machines?
Scott On 10/10/05, Jason Landry <[EMAIL PROTECTED]> wrote: > Well, here's an interesting side effect. > > I can no longer access the m0n0wall through the LAN address through the > tunnel. > > At home, I'm at 10.53.64.110 > The m0n0wall at work is at 192.168.1.1 > > Before changing the MTU to 1400 on my client machine, I could simply > go to 192.168.1.1 in my browser, and the tunnel would connect > automatically, but Remote Desktop and SQL didn't work. > > Now that I've changed the MTU, I can't get to 192.168.1.1, but Remote > Desktop and SQL both work. > > Is this just the nature of the beast? > > On 10/10/05, Jason Landry <[EMAIL PROTECTED]> wrote: > > No, I'm just doing site-to-site with IPSec between a m0n0wall and > > pfsense. I made no configuration changes at all on client machines > > until the 1400 MTU suggestion. That did the trick. > > > > > > On 10/10/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > > > Running PPPoE as the client on Wan? > > > > > > > > > On 10/10/05, Jason Landry <[EMAIL PROTECTED]> wrote: > > > > > > > > I tried setting the MTU on the WAN interface in pfsense to 1400 but > > > > that didn't work. > > > > > > > > I set the MTU on my desktop machine to 1400...and everything works now > > > > - sql & remote desktop. > > > > > > > > Thanks for the help! > > > > > > > > Jason > > > > > > > > On 10/10/05, Chris Buechler <[EMAIL PROTECTED]> wrote: > > > > > Fleming, John (ZeroChaos) wrote: > > > > > > > > > > >I'm guessing we might need to do some mss fixup for ipsec tunnels. > > > > > > > > > > > > > > > > > > > > > > and you'd be right. I'm not sure where it breaks down, but PMTUD is > > > > > b0rk over IPsec tunnels. Has always been an issue in m0n0wall. I've > > > > > looked at it some, but wasn't able to determine anything affirmatively > > > > > other than "it's broken". The MSS clamping in IPF in m0n0wall doesn't > > > > > differentiate betweeen internet traffic and VPN traffic, and hence > > > > > doesn't take into account the overhead of IPsec and doesn't solve the > > > > > problem. > > > > > > > > > > The typical "solution" is to drop the MTU on LAN hosts until it works, > > > > > people usually set it at 1400 (as a number that works, should be able > > > > > to > > > > > squeeze more than that). Depending on the characteristics of your > > > > > network traffic, this can have a measurable negative impact on network > > > > > performance, especially on the LAN with large data transfers. > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
