From owner-freebsd-questions@freebsd.org Sun Dec 23 15:02:06 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BED81338E9A for ; Sun, 23 Dec 2018 15:02:06 +0000 (UTC) (envelope-from usr.src.linux@gmail.com) Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 708E177E8E for ; Sun, 23 Dec 2018 15:02:05 +0000 (UTC) (envelope-from usr.src.linux@gmail.com) Received: by mail-lj1-x241.google.com with SMTP id t9-v6so8671500ljh.6 for ; Sun, 23 Dec 2018 07:02:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=gPpdgB44AHcrgZ+UvIUx4fmcG/gKW+Jg1eHcObNViKQ=; b=DPrwYBs+irkpiZQ/mWekf1hpnykMIRF7oHIsh7yKeLS3TSkhKRhDgioLKrlrEWP4IN GcZZ8HMEfkNrLgForFi8WegjPwmiOCMqctF9pBMnKhoc/s8uhLPHEin3L8T3L2U2jp6T y/IxlT0QvTVrnaEsrGwnyMAKNwa9dT/8nT9+32ILwsnp/BxwUaiJ8roIgqyUTplXmoPA Yr2MMTio7eH7HvHMryyDRqoThb8mxqoZQNtbXFsa6FDztmIe22u9grh6L0UxCXNTiwQG SshIjzqD1B5Eqal6vkwNLsmuwEdvt+/DkTFLoBP2GPhPh8q1ULfSDw+LrAqJKQmdpMGO RPlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=gPpdgB44AHcrgZ+UvIUx4fmcG/gKW+Jg1eHcObNViKQ=; b=iJUedKSxJgj/kSLsYAVib2XMKAmxYCULLdS7XwCzNnjjw7tNKskpnQDsL7Cm+85YTy k9MxkZ8eMwE88qqnrM2O/InACV0oxwH1ALee0jewJrUjCfJGHaVHXduSwPQxCHYK2uD+ /n04vxdf7zP3wLZaPa50zlNzmwhs7w7eFijeab1OL1EKlVnOfDAg5WBoOzHAmMj6qahI xD0WizRoRORi0sWHj8Ey5pYhjgUpP/ZQvo6e98weOyQ2b3jz2xuWrgtl0bo8TNpdcjf8 L2kluU0335z04L6if+DwdZz8FbVJlmDqPOgI51RvdjiOHPhRBG1AiSwv8nAkUmlZFHnB 7PQQ== X-Gm-Message-State: AJcUukfHr2WXEqm38NjuvWat+h9mvtUgD3ftM727U05gm0iPLYQQL28M etI3XX27yfmSf0i4htGeszNCw3bS4t9AzMR9winQJ1R8gE4= X-Google-Smtp-Source: ALg8bN75THskh6baW9UgGbe/JEHywo7ZSqr301KrbB6MxrUkWnG+xFV6rPO4qSC5ZRDioHA5QE63keLrY7dZoMhqq0M= X-Received: by 2002:a2e:3e04:: with SMTP id l4-v6mr5457123lja.148.1545577323456; Sun, 23 Dec 2018 07:02:03 -0800 (PST) MIME-Version: 1.0 From: Harry Duncan Date: Sun, 23 Dec 2018 15:01:52 +0000 Message-ID: Subject: FreeBSD GRE tunnels / MTU question To: freebsd-questions@freebsd.org X-Rspamd-Queue-Id: 708E177E8E X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=DPrwYBs+; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of usrsrclinux@gmail.com designates 2a00:1450:4864:20::241 as permitted sender) smtp.mailfrom=usrsrclinux@gmail.com X-Spamd-Result: default: False [-2.11 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.964,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.98)[-0.980,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(0.09)[ip: (3.66), ipnet: 2a00:1450::/32(-1.68), asn: 15169(-1.46), country: US(-0.08)]; NEURAL_SPAM_SHORT(0.75)[0.754,0]; RCVD_IN_DNSWL_NONE(0.00)[1.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Dec 2018 15:02:06 -0000 Guys, Hoping someone here has experience of this, have a server on one end of a VPN tunnel, and clients on a remote site which received enrypted communications from the server. If the packets get fragmented, the communications bread down. Each site connects to the net through a FreeBSD server which connects to a VDSL router in bridged mode, the FreeBSD server uses pppoe and connects to the internet, and uses PF to protect th lans on both ends. GRE tunnels are used to form a wide area network with routing between the private lans. I've worked my way through setting the MTU on the lan interface to Jumbo frame size, I have the VPN GRE tunnels on super jumbo frame size. I have pf scrub set to what I think is the optimal. One client successfully registered and fourteen others havent, so I need to work harder! These sites mostly connect via VDSL service where at the hardware router level, the router connects to the DSLAM with a maximum MTU of 1462 bytes which is much less than the 9000 bytes jumbo frame size being used by the GRE tunnels In your experience, with a VPN tunnel which is essentially bridging across the VDSL lan at a lower MTU, will the packet fragmentation at the DSL level impact the packets travelling within the encrypted VPN tunnel and / or do you have any tips on how I could examine this in practice to see? Thanks, Harry.