Go Premium for a chance to win a PS4. Enter to Win


SSL Sites won’t load on PPOE connections.

Published on
8,076 Points
Last Modified:
Sometimes you have to pull out old tricks to get a new firewall to work…

While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understand what was happening.  Everything in the Sonicwall was checked and rechecked to no avail.  Then it dawned on me!  Looking at the WAN connection, I saw the dreaded “PPoE”.  It’s been a long time since I’ve worked with a PPoE circuit.  In fact I was surprised to see it.  I thought they all died…

Anyway, I had to into the archives of my brain (boy it sure is dusty in here) and remember how to figure out the proper MTU to set on the WAN interface to get this going.

For those of you wondering what an MTU is, it is a Maximum Transmission Unit.  Basically a cap on the size of your Ethernet packets.  Normal Ethernet packets have an MTU of 1500.  PPoE doesn’t like that 1500 and it is almost always to big.  So we have to reduce the packet size so communications can work effectively.

First we have to determine the MTU, this is easily done with the ping command:

    ping <sitename> to see if you get a response.  You should always get a response even if you MTU is not correct because ping will allow fragmentation of packets.  I usually use google.com since it always responds.
    Next we have to force the ping command to use a certain packet size.  This is done using the /f and /l switches. /f will set the “Don’t Fragment” flag in the packet. /l <size> will set the size of the packet. our command should look like this:  “ping www.google.com /f /l1500¿  We should get a response “Packet needs to be fragmented but DF set.”
    Now we reduce the size of the packets by 8 and retry: “ping www.google.com /f /l 1492¿ If we get the same “Packet needs to be fragmented but DF set.” then we are not low enough, subtract 8 and do it again.
    Continue subtracting 8 until you get a good ping response.  It should look like this:
    Reply from bytes=32 time=29ms TTL=46
    Reply from bytes=32 time=89ms TTL=46
    Reply from bytes=32 time=27ms TTL=46
    Reply from bytes=32 time=27ms TTL=46
    The number you used will be our MTU!
    Take the number you just used and plug it into the WAN interface settings of your router and you’ll be browsing secure sites in no time!

This article is a reprint from the original on my blog: SSL Sites won’t load on PPOE connections..

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Join & Write a Comment

Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month