There are many symptoms that may arise when you are installing a new firewall on a network that is using a DSL circuit and the MTU is not set correctly. That’s right the MTU, Max transmission Unit as it is know is a happy 1500 bytes on any Ethernet,  that medium makes up most endpoint networks on the Internet. Most admins never think about what the MTU is set at the gateway device, when they forget to realize that the circuit to the Internet is a DSL circuit they may see things on the network that can’t seem to explain.

MTU is the maximum packet size (in bytes) that can be transported reliably across any particular network; IP Ethernet in this case. The maximum size of an IP Ethernet packet is 1500, but overhead like IP, TCP, and PPPoE must also be taken into account. The wrong MTU will actually prevent you from accessing some web sites or FTP sites. It may even cause you to not authenticate properly on mail servers or secure web sites. There are too many variables to be able to estimate what your optimum MTU should be but my rule of thumb is -32bytes which makes the MTU 1468.

If your running a VPN to a remote domain and you are having domain failures that don’t seem to make since? Some people have no issues and others fail with different errors when the should work?

Only some websites working correctly?

DNS and ping work but other services  may fail like mail or ftp?

What maybe taking place is a conflict in the MTU available on a DSL circuit. The Ethernet is placing packets on the wire at up to 1500 bytes each but the DSL has only 14XX bytes available to it so a fragment has to take place that ends up breaking the request being made.

It is simple to overcome such a issue by setting the MTU of your firewalls DSL facing Ethernet device. This will then cause the firewall to regulate the MTU and control the MTU going out to the DSL circuit.

You can also change the MTU in a Windows workstation so it will not send out a packet bigger than what the DSL circuit can handle.

To do this edit the registry with REGEDIT and change the following key.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\
Interfaces\[Adapter ID]]

Value Name: MTU
Data Type: REG_DWORD (DWORD Value)
Value Data: Default = 0xffffffff (1500)

This will fix the Windows system but I prefer to do it at the firewall so one edit changes all systems. Do what you need to do.

Hope this helps someone out there

 

Cubert

Tagged with:
 

Leave a Reply

*



%d bloggers like this: