Since switching from my BT SmartHub to a pfsense router I’ve had a few minor teething problems. One of which has been the squid proxy service causing a problem where I can’t access the BBC website with an error. Whilst I did eventually fix this through a slightly strange method, I encountered a possible source of the problem which was worth fixing on it’s own
When I turned squid off I was immediately able to access the BBC website, but with it turned on I consistent received an error from squid that there had been a “Zero Sized Reply”. It seemed squid was unable to get any reply from the BBC. One possible cause of this could be fragmented packets being dropped, and the cause of fragmentation is normally MTU size.
The default MTU for Ethernet is 1500 and most modern operating systems manage things on the LAN automatically. It is possible to use sizes up to 9000 to increase throughput (slightly) for the LAN. However, this was of less interest to me than making sure packets weren’t getting fragmented multiple times, or being fragmented after leaving the router.
With the pfsense WAN MTU set to default (1500) I tried some pinging from windows to see what the maximum size was without fragmentation. The command to use is
ping google.com -f -l 1500, changing the last number to find the optimum. My BT Infinity connection uses PPPoE which typically has a maximum value of 1492 (it may in fact really use PPPoA which my bridged modem can present as PPPoE to pfsense, different sources say different things about this), and when using ping it is necessary to take into account some overhead which has a value of 28, so I was expecting a ping MTU of 1464 to be the largest I could use. To my surprise this still resulted in fragmentation and I eventually found the maximum I could use was 1456.
I used this value (with 28 added back on) to set a MTU value of 1484 in the WAN interface settings of pfsense. Now the only fragmentation should be done by the router to LAN packets, with no risk of any later fragmentation from a router somewhere between me and any particular website. After clearing my browser cache and the squid cache I was then able to load the BBC website successfully. I suspect the issue was caused by a router blackholing issue somewhere between my ISP and the BBC servers which was dropping the fragmented packets. A nice description of the phenomenon can be found on RCL’s Blog
Think we've missed something? Let us know by commenting below. If you would like to subscribe please use the subscribe link on the menu at the top right. You can also share this with your friends by using the social links below. Cheers.