Bug Reports

I have the following setup here:

Internet------>DSL Modem------>m0n0wall 1.3b11------>Local LAN w/ PCs running Windows, Linux and Mac OS X 10.5.2

M0n0wall is configured to do NAT.  After installing m0n0wall, my Linux machines and my Mac machines could not get to certain websites.  My Macs also could not log onto Messenger.

I traced the problem on both my Mac and on my Linux machines and it appeared that neither were doing PMTU discovery.  Tcpdump and Wireshark showed the ICMP Packet Size Exceeded message delivered with the correct next hop MTU of 1492.  My Windows machines were having no problems with PMTUD.

Digging further, I finally realized that the issue seems to be that the ICMP checksum is calculated incorrectly.  Both the OS X and Linux machines seem to check that value and if it is incorrect must drop the packet without further processing.  It appears the Windows machines ignore the checksum.  I have worked around the problem for now by hard setting the MTU on my Ethernet connections.  Unfortunately, this doesn't work for my wireless connections.

Please let me know if you need any further information to isolate this.  I have tcpdumps and Wireshark traces if needed.

Thanks!

--Tismo

Are you sure the checksums are really incorrect and it's not hardware checksum offloading making it look like they're incorrect?

I was not aware that FreeBSD supported checksum offloading for ICMP.  The NICs I am using are older models and I'm not sure they support ICMP checksum offload either.  In any event, assuming that is the case, how does one configure m0n0wall to disable checksum offloading?  I can test this theory out if I know how to configure this within m0n0wall.

Also, bear in mind that the tcpdumps and the Wireshark traces are taken on the machines that are receiving the ICMP messages not from the m0n0wall machine.  So this isn't a case of the checksums "appearing" to be incorrect.  They are indeed incorrect. 

FreeBSD does indeed support checksum offloading on some NIC chipsets; you can (temporarily) disable it by running "ifconfig xxx0 -rxcsum -txcsum" via /exec.php (where xxx0 is the BSD name of the interface in question).

This could in theory be a bug in ipfilter, as it has a long history of bug-ridden ICMP NAT code. However, there haven't been any new fixes since 4.1.28 (which is what m0n0wall 1.3b11 uses).

Also, it appears that your DSL modem is doing the PPPoE - otherwise m0n0wall would (or at least should do TCP MSS clamping, avoiding MTU problems (at least for TCP). In that case, I recommend that you set your DSL modem to bridge mode and have m0n0wall do the PPPoE (to get rid of the double NAT, if nothing else).

I realize that FreeBSD does checksum offloading for TCP, UDP and IP.  However, no OS to my knowledge does it for ICMP (although I'm happy to be corrected here).

I may be able to put my DSL gateway in bridged mode (I haven't checked), but I'm not sure that's an option for all  users.  Some vendors/ISPs disable that ability on their gateways.

Anyway, perhaps this is an issue with ipfilter and not with m0n0wall specifically.  I haven't tested it on anything else.

sorry I even hadn't read all from this thread but I just registered to this forum, because I had similar problem. but in my case the problem has started just previously before any system changes, ( including firmwares, ports, softwares...one small possibility is that some ubuntus security update has made the problem but i doubt it) before m0n0 has worked flawless, but now I can see all the time icmp in my Ubuntu firestarter and I have opened all needed ports, I can't open all websites anymore with m0n0wall active, now my lowest rule is pass all in my LAN rules, that's how I can write this message now.