AW: AW: Setting Framed-MTU Attribute
Luca Bertoncello
L.Bertoncello at queo-group.com
Wed Mar 23 15:51:19 UTC 2022
Hi Matthew,
I have an "update reply" in my server part. Of course not in post-auth, since the problem is previous...
I added it to the preacct section, but of course it does not help.
My problem is that the communication does not survive the site-to-site VPN (with OpenVPN).
With tcpdump I see:
13 0.341592 10.6.21.10 10.0.21.10 IPv4 1516 Fragmented IP protocol (proto=UDP 17, off=0, ID=2021)
Searching for this error got me the "result", I have to change the Framed-MTU and as I didn't got it after one day work, I asked the list.
Now you write, this change will not help. And I see, it does not help, as you predicted.
The MTU on the VPN tunnel is currently 1500.
Or I did not understand what you mean?
Thanks
Luca Bertoncello
-----Ursprüngliche Nachricht-----
Von: Freeradius-Users <freeradius-users-bounces+l.bertoncello=queo-group.com at lists.freeradius.org> Im Auftrag von Matthew Newton
Gesendet: Mittwoch, 23. März 2022 16:38
An: freeradius-users at lists.freeradius.org
Betreff: Re: AW: Setting Framed-MTU Attribute
On 23/03/2022 15:28, Luca Bertoncello wrote:
> I read the site-available/default but since I don't know what I have to search for, it's very difficult...
As Alan said, the default config is full of examples of how to update attributes. You just have to read it. Updating attributes is also documented in the unlang man pages.
e.g.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/default#L864-L867
> Currently, I tried to change the mods_enabled/eap and set use_tunneled_reply to yes.
> I also changed the mods-config/attr_filter/access_challenge and added Framed-MTU = 1344 at the start of the "DEFAULT" section.
> No changes in my situation.
Because as you've already been told, attr_filter *removes* attributes, it doesn't add them.
update reply {
Framed-MTU := 1000
}
From your original post, though, I suspect this won't help. That attribute is for telling the NAS what MTU to use. It won't make its way through to any device on wifi.
If you have a VPN in the way of that RADIUS server that's causing MTU problems, drop the MTU on the NAS or RADIUS server, or fix the VPN / PMTUD so that the path MTU is calculated correctly. You can't fix that by changing attributes.
--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list