# PPPoE + NAT + ping -f -l 1465 timeout



## -Rozi- (Oct 26, 2018)

Hi,

I have installed a NAT router on a FreeBSD 11.2. My ISP is using PPPoE with 1492 MTU/MRU. On the router box the `ping -D -s 1464 www.google.com` works, and the `...-s 1465...` returns "Message too long" as expected.

However on the Windows back-end machines, the `ping -4 www.google.com -f -l 1464` works, the `...-l 1465...` to `...-l 1472...` *times out*, and the `...-l 1473...` finally reports "Packet needs to be fragmented but DF set.".

I know this issue can be simply solved by a `iptables -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu` on a Linux. However, I am looking for a FreeBSD alternative.

I have played with `scrub in all no-df max-mss 1440` in PF and `enable mssfixup` in ppp to no avail.

I hope it was just me asking the search engines wrong and there is a simple trick to fix it.

/etc/rc.conf

```
#!/bin/sh

hostname="nuc"
keymap="si.kbd"

# Če omr. kartice ne postavimo pokonci, tudi VLAN-i na njej ne bodo delali.
ifconfig_em0="up"

#
# LAN
#
vlans_em0="${vlans_em0} lan0"
create_args_lan0="vlan 1"
ifconfig_lan0="inet 10.1.0.1 netmask 255.255.0.0"
ifconfig_lan0_ipv6="inet6 2001:0db8:f00:ba01::1 prefixlen 64"

#
# WAN
#
vlans_em0="${vlans_em0} wan0"
create_args_wan0="vlan 2"
ifconfig_wan0="inet 10.2.0.1 netmask 255.255.0.0"
ifconfig_wan0_ipv6="inet6 2001:0db8:f00:ba02::1 prefixlen 64"

#
# WiFi
#
vlans_em0="${vlans_em0} wifi0"
create_args_wifi0="vlan 3"
ifconfig_wifi0="inet 10.3.0.1 netmask 255.255.0.0"
ifconfig_wifi0_ipv6="inet6 2001:0db8:f00:ba03::1 prefixlen 64"

#
# PPPoE
#
#cloned_interfaces="${cloned_interfaces} tun0"
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="telekom"
ppp_telekom_unit="0" # Uporabi tun0

# Vklopi požarni zid
pf_enable="YES"
pflog_enable="YES"
ftpproxy_enable="YES"

# Dovoli usmerjanje paketov
gateway_enable="YES"
ipv6_gateway_enable="YES"

# Nastavi DHCPv4 in RTADV
dhcpd_enable="YES"
dhcpd_ifaces="lan0 wan0 wifi0"
rtadvd_enable="YES"
rtadvd_interfaces="lan0 wan0 wifi0"

# Ječe
jail_enable="YES"

# Omogoči miško na konzoli
moused_enable="YES"
moused_flags="-m 2=3"

# Sinhronizacija ure
ntpd_enable="YES"

# Varčevanje z energijo
powerd_enable="YES"

# SMTP in SMTP Relay
sendmail_enable="YES"
sendmail_submit_enable="YES"
sendmail_outbound_enable="YES"
sendmail_msp_queue_enable="YES"

# SSH
sshd_enable="YES"

# Sistemski dnevnik
syslogd_enable="YES"
syslogd_flags="-s -b localhost"
```

/etc/ppp/ppp.conf

```
default:
    set log Phase Chat LCP IPCP IPV6CP CCP tun command
    #set log Phase IPCP IPV6CP tun command
    set ifaddr 10.0.0.1/0 10.0.0.2/0

telekom:
    set device PPPoE:wan0
    set authname xxxxxx
    set authkey yyyyyy
    set dial
    set login
    set mtu 1492
    set mru 1492
    set timeout 0
    enable mssfixup
    add default HISADDR
    add default HISADDR6
```

/etc/ppp/ppp.linkup

```
MYADDR6:
    ! /sbin/ifconfig INTERFACE inet6 -ifdisabled -no_radr accept_rtadv
    ! /usr/sbin/rtsold -p /var/run/rtsold-INTERFACE.pid -R /usr/bin/true INTERFACE
    ! /usr/local/sbin/dhcp6c -p /var/run/dhcp6c-INTERFACE.pid INTERFACE

telekom:
    ! sh -c "[ -f /etc/ppp/pf.d/LABEL.conf ] && /sbin/pfctl -a ppp/INTERFACE -f /etc/ppp/pf.d/LABEL.conf"
```

/etc/ppp/ppp.linkdown

```
MYADDR6:
    ! sh -c "[ -f /var/run/dhcp6c-INTERFACE.pid ] && kill -USR1 `cat /var/run/dhcp6c-INTERFACE.pid`"
    ! sh -c "[ -f /var/run/rtsold-INTERFACE.pid ] && kill -TERM `cat /var/run/rtsold-INTERFACE.pid`"

telekom:
    ! /sbin/pfctl -a ppp/INTERFACE -F all
```

/etc/pf.conf

```
#
# Macros
#
if_lan="lan0 wan0 wifi0"


#
# Options
#
set block-policy return
set skip on lo0   # Skip filtering on loopback interface


#
# Scrub
#
#scrub in on {$if_lan}
#scrub in on tun0 no-df max-mss 1440
scrub in all no-df max-mss 1440

#
# NAT and Port-Forwarding
#
nat-anchor "ppp/*"
nat-anchor "ftp-proxy/*"

rdr-anchor "ppp/*"
rdr-anchor "ftp-proxy/*"

rdr pass on { $if_lan } proto tcp to port ftp -> 127.0.0.1 port 8021


#
# Filter Rules
#
block all

# Preverjanje smiselnosti naslova paketov
antispoof for { lo $if_lan }

anchor "ppp/*"
anchor "ftp-proxy/*"

# ICMP dopuščamo v celoti
pass inet proto icmp
pass inet6 proto ipv6-icmp

# Vse pakete, ki niso za nas, na vhodu sprejmemo.
pass in on lan0  to ! (lan0)
pass in on wan0  to ! (wan0)
pass in on wifi0 to ! (wifi0)

# Servisni dostop
pass out from {(lan0) (wan0) (wifi0)}
pass out from (lan0:network)

# Storitve na tem strežniku
pass in      proto {tcp    } from (lan0:network)  to     nuc.selo.local  port ssh     # SSH
pass in      proto {tcp    } from (lan0:network)  to     nuc.selo.local  port {smtp submission} # SMTP
pass in inet proto {    udp} from (lan0:network)  to     nuc.selo.local  port bootps  # DHCPv4
pass in inet proto {    udp} from (wan0:network)  to     nuc.wan.local   port bootps  # DHCPv4
pass in inet proto {    udp} from (wifi0:network) to     nuc.wifi.local  port bootps  # DHCPv4
pass in      proto {tcp udp} from (lan0:network)  to dns.nuc.selo.local  port domain  # DNS
pass in      proto {tcp udp} from (wan0:network)  to dns.nuc.wan.local   port domain  # DNS
pass in      proto {tcp udp} from (wifi0:network) to dns.nuc.wifi.local  port domain  # DNS

# Storitve na zalednih strežnikih
pass      proto {    udp} to rpi3 port   500 # IPSec
pass      proto {    udp} to rpi3 port  4500 # IPSec
pass inet proto {    udp} to rpi3 port  1194 # OpenVPN
pass inet proto {tcp    } to rpi3 port   443 # OpenVPN (stunnel)
pass      proto {tcp udp} to s0   port 49704 # µTorrent
pass      proto {tcp    } to rpi3 port  8080 # µTorrent (stunnel)
pass      proto {tcp    } to rpi3 port  8081 # Subversion (stunnel)
pass      proto {tcp    } to rpi3 port  8083 # µVent (stunnel)
```

/etc/ppp/pf.d/telekom.conf

```
#
# Macros
#
if_ppp="tun0"
if_lan="lan0 wan0 wifi0"
table <nonroutable> const {
    0.0.0.0/8               # IANA - Local Identification
    10.0.0.0/8              # RFC 1918 - Private Address Space
    127.0.0.0/8             # IANA - Loopback
    172.16.0.0/12           # RFC 1918 - Private Address Space
    192.168.0.0/16          # RFC 1918 - Private Address Space
    224.0.0.0/8             # Multicast
    ::1                     # IANA - Loopback
    fec0::/10               # RFC 3879 - Old site local
    2001:db8::/32           # RFC 3849 - Reserved for Documentation
    2001:10::/28            # RFC 4843 - ORCHID
}
table <ours> const {
    203.0.113.160
    2001:0db8:f00:ba00::/56
}


#
# NAT and Port Forwarding (IPv4)
#
no nat on lan0  inet from (lan0)  to (lan0:network)
no nat on wan0  inet from (wan0)  to (wan0:network)
no nat on wifi0 inet from (wifi0) to (wifi0:network)
nat on $if_ppp inet from !($if_ppp) -> ($if_ppp:0)

# Do storitev na zalednih strežnikih ne smemo dostopati z lokalnega omrežja
# s svojim naslovom IPv4, ker bi paket poslali na 203.0.113.160, odgovor pa
# bi prišel z naslova 10.1.0.6 (primer).  Zato uporabimo NAT, da
# usmerjevalnik s svojim naslovom pošlje zahtevo in potem vrne odgovor.
nat on {$if_lan} inet proto {    udp} to rpi3 port   500 -> lan0 # IPSec
nat on {$if_lan} inet proto {    udp} to rpi3 port  4500 -> lan0 # IPSec
nat on {$if_lan} inet proto {    udp} to rpi3 port  1194 -> lan0 # OpenVPN
nat on {$if_lan} inet proto {tcp    } to rpi3 port   443 -> lan0 # OpenVPN (stunnel)
nat on {$if_lan} inet proto {tcp udp} to s0   port 49704 -> lan0 # µTorrent
nat on {$if_lan} inet proto {tcp    } to rpi3 port  8080 -> lan0 # µTorrent (stunnel)
nat on {$if_lan} inet proto {tcp    } to rpi3 port  8081 -> lan0 # Subversion (stunnel)
nat on {$if_lan} inet proto {tcp    } to rpi3 port  8083 -> lan0 # µVent (stunnel)

# Storitve na zalednih strežnikih
rdr inet proto {    udp} to ($if_ppp) port   500 -> rpi3 # IPSec
rdr inet proto {    udp} to ($if_ppp) port  4500 -> rpi3 # IPSec
rdr inet proto {    udp} to ($if_ppp) port  1194 -> rpi3 # OpenVPN
rdr inet proto {tcp    } to ($if_ppp) port   443 -> rpi3 # OpenVPN (stunnel)
rdr inet proto {tcp udp} to ($if_ppp) port 49704 -> s0   # µTorrent
rdr inet proto {tcp    } to ($if_ppp) port  8080 -> rpi3 # µTorrent (stunnel)
rdr inet proto {tcp    } to ($if_ppp) port  8081 -> rpi3 # Subversion (stunnel)
rdr inet proto {tcp    } to ($if_ppp) port  8083 -> rpi3 # µVent (stunnel)

#
# Filter Rules
#

# Preverjanje smiselnosti naslova paketov
antispoof for $if_ppp
block drop in quick on $if_ppp from {<nonroutable> <ours>} to any
block drop out quick on $if_ppp from any to {<nonroutable> <ours>}

# Dostop do spleta
pass out on $if_ppp

# Odjemalec DHCPv6
pass in inet6 proto udp to $if_ppp port dhcpv6-client
```

This is the output of ifconfig:

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 94:c6:91:a1:20:9f
        hwaddr 94:c6:91:a1:20:9f
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet6 ::2 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        inet 127.0.0.2 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
lan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 94:c6:91:a1:20:9f
        inet 10.1.0.1 netmask 0xffff0000 broadcast 10.1.255.255
        inet 10.1.0.2 netmask 0xffff0000 broadcast 10.1.255.255
        inet6 fe80::96c6:91ff:fea1:209f%lan0 prefixlen 64 scopeid 0x3
        inet6 2001:0db8:f00:ba01::1 prefixlen 64
        inet6 2001:0db8:f00:ba01::2 prefixlen 64
        inet6 2001:0db8:f00:ba01:96c6:91ff:fea1:209f prefixlen 64
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 1 vlanpcp: 0 parent interface: em0
        groups: vlan
wan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 94:c6:91:a1:20:9f
        inet 10.2.0.1 netmask 0xffff0000 broadcast 10.2.255.255
        inet 10.2.0.2 netmask 0xffff0000 broadcast 10.2.255.255
        inet6 fe80::96c6:91ff:fea1:209f%wan0 prefixlen 64 scopeid 0x4
        inet6 2001:0db8:f00:ba02::1 prefixlen 64
        inet6 2001:0db8:f00:ba02::2 prefixlen 64
        inet6 2001:0db8:f00:ba02:96c6:91ff:fea1:209f prefixlen 64
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 2 vlanpcp: 0 parent interface: em0
        groups: vlan
wifi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 94:c6:91:a1:20:9f
        inet 10.3.0.1 netmask 0xffff0000 broadcast 10.3.255.255
        inet 10.3.0.2 netmask 0xffff0000 broadcast 10.3.255.255
        inet6 fe80::96c6:91ff:fea1:209f%wifi0 prefixlen 64 scopeid 0x5
        inet6 2001:0db8:f00:ba03::1 prefixlen 64
        inet6 2001:0db8:f00:ba03::2 prefixlen 64
        inet6 2001:0db8:f00:ba03:96c6:91ff:fea1:209f prefixlen 64
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 3 vlanpcp: 0 parent interface: em0
        groups: vlan
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        options=80000<LINKSTATE>
        inet6 fe80::96c6:91ff:fea1:209f%tun0 prefixlen 64 scopeid 0x7
        inet6 2001:0db8:f000:7fd:96c6:91ff:fea1:209f prefixlen 64 autoconf
        inet 203.0.113.160 --> 203.0.113.1 netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        groups: tun
        Opened by PID 3276
```


----------



## SirDice (Oct 26, 2018)

Make sure you allow certain ICMP messages: https://en.wikipedia.org/wiki/Path_MTU_Discovery


----------



## -Rozi- (Oct 26, 2018)

SirDice said:


> Make sure you allow certain ICMP messages...



All ICMP traffic is allowed:

```
pass inet proto icmp
pass inet6 proto ipv6-icmp
```


----------

