Some sites don't load, using PPPoE
-
Hello everyone
I'm very new to pfsense (or any BSD), but I'm trying to set it up to be a firewall to a small network.I got most of it working, but some sites won't load. I've had a similar problem in another platform years ago, and I remember the MTU was wrong, but I've double checked that and it seems correct.
My setup:
-
pfsense 2.0.2-RELEASE
-
ALIX board - alix2d13
-
DSL line attached to a modem in bridge mode
-
Using PPPoE on pfsense, MTU of 1500 on vr0 (wan port), 1492 on pppoe1
What works:
-
SSH to outside world
-
I can "dig" everything
-
most sites (google.com, pcengines.ch, twitter.com)
What doesn't:
- some sites (yahoo.com, microsoft.com, flattr.com). The browser keeps loading on a blank page for a long time
What I've already done:
-
Disable hardware checksum offload
-
restart interfaces, pppoe, pfsense, modem…
-
After setting MTU to 1500, ping works with packets up to 1464 bytes, so the MTU should be 1492. After setting MTU to 1492, situation persists
-
Packet analysis with Wireshark. On working sites, I get a small HTTP response. On sites that don't work, there's TCP fragments of 1506 bytes, but wireshark doesn't identify any packet as being HTTP
Here's my ifconfig (vr1 is LAN):
vr0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 0] inet6 fe80::20d:b9ff:fe2a:b5f0%vr0 prefixlen 64 scopeid 0x1 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=82808 <vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 1] inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::20d:b9ff:fe2a:b5f1%vr1 prefixlen 64 scopeid 0x2 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active vr2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=82808 <vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 2] inet6 fe80::20d:b9ff:fe2a:b5f2%vr2 prefixlen 64 scopeid 0x3 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (none) status: no carrier ath0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 2290 ether [CENSORED MAC 3] media: IEEE 802.11 Wireless Ethernet autoselect (autoselect) status: no carrier lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 nd6 options=43 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 enc0: flags=0<> metric 0 mtu 1536 pflog0: flags=100 <promisc>metric 0 mtu 33200 pppoe1: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492 inet6 fe80::20d:b9ff:fe2a:b5f0%pppoe1 prefixlen 64 scopeid 0x9 inet 85.246.162.252 --> 194.65.169.248 netmask 0xffffffff nd6 options=43 <performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></broadcast,simplex,multicast></performnud,accept_rtadv></vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>I'm a bit lost as to what I can do to debug this :-\ any help is welcome
-
-
-
@slu:
DNS work?
Actually, PPPoE was returning 127.0.0.1 as the DNS server, but I went ahead and added them manually, and everything seems correct on the DNS level. As I mentioned, I can "dig" all hosts, including the sites that don't work
-
Almost certainly because you need a lower value for MSS clamping.
-
@cmb:
Almost certainly because you need a lower value for MSS clamping.
Yes! Setting Interfaces->WAN->MSS to 1492 (or lower) solves this.
Now I can finally move on to more important configuration… Thank you so much! ;D