Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

PPPoE Interface - NOT to use MTU 1492?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

while doing some research I came across the omnipresent burden of setting the correct MTU per Interface Type, in my case for a PPPoE Connection.

The general advice is, to set the MTU for Interface X1 (or any other) to 1492 when used as PPPoE client. But this is IMHO technically not correct, it should be left at 1500. When set at 1492 the PMTU Discovery from within the Appliance and via a device behind the Firewall results in a PMTU of 1484 (1492-8).

This might work well up to the point when starting with VPN, because the Option "Fragment non-VPN outbound packets larger than this Interface's MTU" does not take the MTU of the PPPoE Connection into account, it seems to use the MTU of the Ethernet Interface which is different from the resulting PPPoE Connection.

Is anyone running PPPoE with 1500 having any results? What about a router in front of the SonicWall which handles all of the PPPoE? In that case I could set 1492 on X1 without any trouble because the PPPoE 8 Bytes Overhead will be on the Router not the SonicWall, because it would be a simple DHCP/static IP setup.

This is just me digging around while having some MTU trouble from time to time and the majority is probably just fine with 1492.

--Michael@BWC

Category: Mid Range Firewalls
Reply

Comments

  • are you using GV?

    did you check your MTU?

    ping www.google.com -f -l 1492

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @DavidDellacenta maximum for the ping test is 1484 when X1 is set to 1492. I did not do any further research on that topic to examine some of the VPN related traffic.

    --Michael@BWC

  • Are you having problems with Global VPN?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @DavidDellacenta all production units are still at 1492 and no problems (not using GVC though), I'am only wrapping my head around this weird implementation and will do VPN related research at a later point in time. This is strictly a discussion about the topic and no specific issue.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Changing the Interface MTU to 1500 bumps the PMTU to 1492 as epxected, but this might be in conflict with VPN, need to play a bit further with it.

    IMHO the implementation is a bit wobbly, because MTU and PMTU should not differ, but for PPPoE on SNWL it's the case.

    --Michael@BWC

  • Mike45Mike45 Newbie ✭

    Old article I know and sorry for reviving it.


    I'm currently looking in to MTU size as a possible reason behind intermittent RDS client disconnects over a S2S VPN using the default settings as seen in the GUI Wizard. Not so frequent that they are tearing their hair out, but often enough that they've had to mention it.


    We replaced Drayteks at both site with Sonicwalls (TZ370 and TX270). The MTU settings on the Drayteks were noted and replicated on the Sonicwalls X1 interfaces. Since the replacement, the client has reported these intermittent disconnections taking place for some (but not all users) throughout the day.

    I read Set MTU in VPN environment in case of throughput issues | SonicWall which leads me to believe our MTU on both X1 are way off from what they should be.


    At the main site, MTU is currently 1500 as X1 is on a static IP connected via Ethernet to a CISCO router from BT providing a leased line.

    At the secondary site, MTU is 1492 as, well, that's what it was on the Draytek. It's a VDSL connection via an Openreach modem using PPPoE

    Across the S2S VPN we see fragmentation occur above 1402 (1430 when we add +28)

    From main site out to google, fragmentation occurs at 1472 (1500 when we add +28)

    From secondary site out to google fragmentation occurs at 1456 (1484 when we add +28)


    Going by the Sonicwall article X1 at secondary site should have an MTU of 1427 (1484 - the 57 bytes required for 3DES SHA1 ESP connection. Does this sound correct?

    MTU may not be the root cause and we've had no other complaints from either site, other than these odd disconnects occuring on the RDS.


    I have tested changing the MTU on X1 on a TZ400 box I have at home and the change is instant (fragmentation can be seen immediately, or cured immediately) and no reboot required (i'm running it double-natted with ethernet to). The WAN internet connection doesn't miss a beat.

    Does changing the MTU on a PPPoE interface drop the connection or require a reboot of any kind?

    I'm remote from the site so hesitant to start changing things that could drop them.

    Also, we WILL be using GVC for dial-in clients shortly so interested in how MTU affects this.


    Cheers

    Mike

Sign In or Register to comment.