<

SSL Sites won’t load on PPOE connections.

Published on
8,126 Points
2,126 Views
Last Modified:
Approved
Sometimes you have to pull out old tricks to get a new firewall to work…

While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understand what was happening.  Everything in the Sonicwall was checked and rechecked to no avail.  Then it dawned on me!  Looking at the WAN connection, I saw the dreaded “PPoE”.  It’s been a long time since I’ve worked with a PPoE circuit.  In fact I was surprised to see it.  I thought they all died…

Anyway, I had to into the archives of my brain (boy it sure is dusty in here) and remember how to figure out the proper MTU to set on the WAN interface to get this going.

For those of you wondering what an MTU is, it is a Maximum Transmission Unit.  Basically a cap on the size of your Ethernet packets.  Normal Ethernet packets have an MTU of 1500.  PPoE doesn’t like that 1500 and it is almost always to big.  So we have to reduce the packet size so communications can work effectively.

First we have to determine the MTU, this is easily done with the ping command:

    ping <sitename> to see if you get a response.  You should always get a response even if you MTU is not correct because ping will allow fragmentation of packets.  I usually use google.com since it always responds.
    Next we have to force the ping command to use a certain packet size.  This is done using the /f and /l switches. /f will set the “Don’t Fragment” flag in the packet. /l <size> will set the size of the packet. our command should look like this:  “ping www.google.com /f /l1500¿  We should get a response “Packet needs to be fragmented but DF set.”
    Now we reduce the size of the packets by 8 and retry: “ping www.google.com /f /l 1492¿ If we get the same “Packet needs to be fragmented but DF set.” then we are not low enough, subtract 8 and do it again.
    Continue subtracting 8 until you get a good ping response.  It should look like this:
    Reply from 173.194.64.147: bytes=32 time=29ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=89ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=27ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=27ms TTL=46
    The number you used will be our MTU!
    Take the number you just used and plug it into the WAN interface settings of your router and you’ll be browsing secure sites in no time!

This article is a reprint from the original on my blog: SSL Sites won’t load on PPOE connections..
0
Comment
0 Comments

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Join & Write a Comment

Suggested Articles

Stellar Phoenix SQL Database Repair software easily fixes the suspect mode issue of SQL Server database. It is a simple process to bring the database from suspect mode to normal mode. Check out the video and fix the SQL database suspect mode problem.
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month