FreeBSD GRE tunnels / MTU question

Harry Duncan usr.src.linux at
Sun Dec 23 15:02:06 UTC 2018


Hoping someone here has experience of this, have a server on one end of a
VPN tunnel, and clients on a remote site which received enrypted
communications from the server. If the packets get fragmented, the
communications bread down.

Each site connects to the net through a FreeBSD server which connects to a
VDSL router in bridged mode, the FreeBSD server uses pppoe and connects to
the internet, and uses PF to protect th lans on both ends. GRE tunnels are
used to form a wide area network with routing between the private lans.

I've worked my way through setting the MTU on the lan interface to Jumbo
frame size, I have the VPN GRE tunnels on super jumbo frame size. I have pf
scrub set to what I think is the optimal. One client successfully
registered and fourteen others havent, so I need to work harder!

These sites mostly connect via VDSL service where at the hardware router
level, the router connects to the DSLAM with a maximum MTU of 1462 bytes
which is much less than the 9000 bytes jumbo frame size being used by the
GRE tunnels

In your experience, with a VPN tunnel which is essentially bridging across
the VDSL lan at a lower MTU, will the packet fragmentation at the DSL level
impact the packets travelling within the encrypted VPN tunnel and / or do
you have any tips on how I could examine this in practice to see?



More information about the freebsd-questions mailing list