MTU issue with PPPoE Server
I have an issue with PPPoE Server.
We have a bunch of external IP-Addresses. So we want to give some host fixed IPs via PPPoE.
DMZ 1–---------------------------------------------- pfsense -----------------------------------------[www] 188.8.131.52
184.108.40.206/30 [external Address] |
10.16.10.1/24 [internal Address] |
–-- DMZ 2 220.127.116.11/30
PPPoE works... Ping works also
But big packets (MTU >1452) wont go thought.
The same to the second DMZ
poes10: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1480 inet6 fe80::20c:29ff:fec9:bdcf%poes10 prefixlen 64 scopeid 0x19 inet 10.16.10.254 --> 18.104.22.168 netmask 0xffffffff nd6 options=21 <performnud,auto_linklocal>poes11: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500</pointopoint,noarp,simplex,multicast></performnud,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast>
I have tried to set different MTUs on this host (down till 1200)…. and also different hosts.
Without PPPoE big Packets went to DMZ.
Packet Capture :
Test1 via PPPoE on Interface DMZ 2
20:26:31.294850 IP 22.214.171.124 > 126.96.36.199: ICMP echo request, id 1, seq 255, length 40 20:26:31.295371 IP 188.8.131.52 > 184.108.40.206: ICMP echo reply, id 1, seq 255, length 40
Test2 via PPPoE on Interface DMZ 2
20:29:18.308484 IP 220.127.116.11 > 18.104.22.168: ICMP echo request, id 1, seq 263, length 2008 20:29:21.336250 IP 22.214.171.124 > 126.96.36.199: ICMP echo request, id 1, seq 266, length 2008
Test2 without PPPoE on Interface DMZ 2
20:37:58.065317 IP 10.16.10.1 > 188.8.131.52: ICMP echo request, id 1, seq 287, length 1480 20:37:58.065322 IP 10.16.10.1 > 184.108.40.206: ip-proto-1 20:37:58.066207 IP 220.127.116.11 > 10.16.10.1: ICMP echo reply, id 1, seq 287, length 1480 20:37:58.066243 IP 18.104.22.168 > 10.16.10.1: ip-proto-1
With these tests I had a MTU on 22.214.171.124 of 1480…
The same captures are on the external interface to 126.96.36.199
Unfortunately I can't capture the PPPoE-Server interface because it is not selectable.
I have read https://forum.pfsense.org/index.php?topic=82939.0 but it seems not be the same issue…
Does any one need more information? I am the only one, who have this issue?
If you're testing MTU using ping, you need to set the 'don't fragment' bit and make sure that pfSense is not set to override invalid DF bits (System -> Advanced, Firewall / NAT tab, 'Clear invalid DF bits instead of dropping the packets' should be unchecked).
If you're using the pfSense shell prompt, the correct syntax is ping -D -s <payload size=""><destination>. You specify the payload size - there is 28 bytes of overhead on top. For example, if you find the maximum payload size that works over a link is 1472, this means the MTU is 1500.
If your big packets had a payload size of 1452, this would correspond to the MTU of 1480 configured on the PPPoE interface. Meanwhile, the mention of ip-proto-1 in the packet capture of the supposedly functional big packet scenario without PPPoE may well indicate fragmentation was in use.
I have to ask - why use PPPoE for DMZ IPs? It seems to be the most complex and highest overhead option. I would either use routed IP or 1:1 NAT.</destination></payload>
many thanks for your reply….
to answer your question:
we have several costumer connected to us via microwave. Our DC is for this costumer the internet breakout.
I am the owner of the external ip-addresses. I am responsible for the communication, to and from the internet (in German called "Störerhaftung"). To guarantee that a specific costumer use a specific IP in this range , I need PPPoE, or I must use for each costumer his own VLAN with an overhead of unused addresses (Broadcast, Net-IP).
I will try your suggestion...