Some sites don't load, using PPPoE



  • Hello everyone
    I'm very new to pfsense (or any BSD), but I'm trying to set it up to be a firewall to a small network.

    I got most of it working, but some sites won't load. I've had a similar problem in another platform years ago, and I remember the MTU was wrong, but I've double checked that and it seems correct.

    My setup:

    • pfsense 2.0.2-RELEASE

    • ALIX board - alix2d13

    • DSL line attached to a modem in bridge mode

    • Using PPPoE on pfsense, MTU of 1500 on vr0 (wan port), 1492 on pppoe1

    What works:

    What doesn't:

    What I've already done:

    • Disable hardware checksum offload

    • restart interfaces, pppoe, pfsense, modem…

    • After setting MTU to 1500, ping works with packets up to 1464 bytes, so the MTU should be 1492. After setting MTU to 1492, situation persists

    • Packet analysis with Wireshark. On working sites, I get a small HTTP response. On sites that don't work, there's TCP fragments of 1506 bytes, but wireshark doesn't identify any packet as being HTTP

      Here's my ifconfig (vr1 is LAN):

      vr0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 0]
      	inet6 fe80::20d:b9ff:fe2a:b5f0%vr0 prefixlen 64 scopeid 0x1 
      	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
      	status: active
      vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=82808 <vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 1]
      	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
      	inet6 fe80::20d:b9ff:fe2a:b5f1%vr1 prefixlen 64 scopeid 0x2 
      	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
      	status: active
      vr2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=82808 <vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 2]
      	inet6 fe80::20d:b9ff:fe2a:b5f2%vr2 prefixlen 64 scopeid 0x3 
      	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (none)
      	status: no carrier
      ath0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 2290
      	ether [CENSORED MAC 3]
      	media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
      	status: no carrier
      lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
      	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
      	inet6 ::1 prefixlen 128 
      	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
      	nd6 options=43 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
      	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
      enc0: flags=0<> metric 0 mtu 1536
      pflog0: flags=100 <promisc>metric 0 mtu 33200
      pppoe1: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
      	inet6 fe80::20d:b9ff:fe2a:b5f0%pppoe1 prefixlen 64 scopeid 0x9 
      	inet 85.246.162.252 --> 194.65.169.248 netmask 0xffffffff 
      	nd6 options=43 <performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></broadcast,simplex,multicast></performnud,accept_rtadv></vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast> 
      

      I'm a bit lost as to what I can do to debug this  :-\ any help is welcome





  • @slu:

    DNS work?

    Actually, PPPoE was returning 127.0.0.1 as the DNS server, but I went ahead and added them manually, and everything seems correct on the DNS level. As I mentioned, I can "dig" all hosts, including the sites that don't work



  • Almost certainly because you need a lower value for MSS clamping.



  • @cmb:

    Almost certainly because you need a lower value for MSS clamping.

    Yes! Setting Interfaces->WAN->MSS to 1492 (or lower) solves this.
    Now I can finally move on to more important configuration… Thank you so much!  ;D


Locked