SSL Sites won’t load on PPOE connections.

Sometimes you have to pull out old tricks to get a new firewall to work…

While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understand what was happening.  Everything in the Sonicwall was checked and rechecked to no avail.  Then it dawned on me!  Looking at the WAN connection, I saw the dreaded “PPoE”.  It’s been a long time since I’ve worked with a PPoE circuit.  In fact I was surprised to see it.  I thought they all died…

Anyway, I had to into the archives of my brain (boy it sure is dusty in here) and remember how to figure out the proper MTU to set on the WAN interface to get this going.

For those of you wondering what an MTU is, it is a Maximum Transmission Unit.  Basically a cap on the size of your Ethernet packets.  Normal Ethernet packets have an MTU of 1500.  PPoE doesn’t like that 1500 and it is almost always to big.  So we have to reduce the packet size so communications can work effectively.

First we have to determine the MTU, this is easily done with the ping command:

  1. ping <sitename> to see if you get a response.  You should always get a response even if you MTU is not correct because ping will allow fragmentation of packets.  I usually use google.com since it always responds.
  2. Next we have to force the ping command to use a certain packet size.  This is done using the /f and /l switches. /f will set the “Don’t Fragment” flag in the packet. /l <size> will set the size of the packet. our command should look like this:  “ping www.google.com /f /l1500”  We should get a response “Packet needs to be fragmented but DF set.”
  3. Now we reduce the size of the packets by 8 and retry: “ping www.google.com /f /l 1492” If we get the same “Packet needs to be fragmented but DF set.” then we are not low enough, subtract 8 and do it again.
  4. Continue subtracting 8 until you get a good ping response.  It should look like this:
    Reply from 173.194.64.147: bytes=32 time=29ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=89ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=27ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=27ms TTL=46
    The number you used will be our MTU!
  5. Take the number you just used and plug it into the WAN interface settings of your router and you’ll be browsing secure sites in no time!

 

 

 

Comments are closed.