[EXTERNAL] AW: AW: Setting Framed-MTU Attribute

Winfield, Alister (Senior Solutions Architect) Alister.Winfield at sky.uk
Thu Mar 24 10:51:08 UTC 2022


Okay simple check if you take your device sending UDP and force the configured MTU on the egress interface to be smaller than 1500 bytes then restart the application in question… does it still send 1500 byte packets ? If it does, then nothing you do with the AP, DHCP or RADIUS will have any effect. This is as likely to be a software issue as anything else. TCP flows tend to honour the MTU of the interface although in some annoying cases even this fails to work out well.

Oh before I forget …If that UDP originates outside your setup forget it nothing you do will change the fragmentation here. Protocols using UDP rarely if ever negotiate an MTU / MRU value just relying on fragmentation to ensure the packets get from A to B.

A.


From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org> on behalf of Luca Bertoncello <L.Bertoncello at queo-group.com>
Date: Thursday, 24 March 2022 at 08:39
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: [EXTERNAL] AW: AW: Setting Framed-MTU Attribute
Hi Matthew,

so, I checked the OpenVPN configuration on the servers and I have mtu-disc set to yes.
In the documentation of OpenVPN I read:

      --mtu-disc type
              Should we do Path MTU discovery on TCP/UDP channel?  Only supported on OSes such as Linux that supports the necessary system call to set.

              'no' -- Never send DF (Don't Fragment) frames
              'maybe' -- Use per-route hints
              'yes' -- Always DF (Don't Fragment)

So, it seems I already use the PMTUD.

Do you (or someone other) have any suggestion to solve my problem or must I install a Freeradius in the second office, too?

Thanks
Luca Bertoncello

-----Ursprüngliche Nachricht-----
Von: Freeradius-Users <freeradius-users-bounces+l.bertoncello=queo-group.com at lists.freeradius.org> Im Auftrag von Matthew Newton
Gesendet: Mittwoch, 23. März 2022 16:38
An: freeradius-users at lists.freeradius.org
Betreff: Re: AW: Setting Framed-MTU Attribute

On 23/03/2022 15:28, Luca Bertoncello wrote:
> I read the site-available/default but since I don't know what I have to search for, it's very difficult...

As Alan said, the default config is full of examples of how to update attributes. You just have to read it. Updating attributes is also documented in the unlang man pages.

e.g.

https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FFreeRADIUS%2Ffreeradius-server%2Fblob%2Fv3.0.x%2Fraddb%2Fsites-available%2Fdefault%23L864-L867&data=04%7C01%7Calister.winfield%40sky.uk%7C3aa9370e68c44f72d07208da0d71b807%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637837079911260262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=adtrx1xJ4fTEDm8gLiLjeRO976yKq07wGQ%2F90JjS6l8%3D&reserved=0

> Currently, I tried to change the mods_enabled/eap and set use_tunneled_reply to yes.
> I also changed the mods-config/attr_filter/access_challenge and added Framed-MTU = 1344 at the start of the "DEFAULT" section.
> No changes in my situation.

Because as you've already been told, attr_filter *removes* attributes, it doesn't add them.

update reply {
   Framed-MTU := 1000
}

 From your original post, though, I suspect this won't help. That attribute is for telling the NAS what MTU to use. It won't make its way through to any device on wifi.

If you have a VPN in the way of that RADIUS server that's causing MTU problems, drop the MTU on the NAS or RADIUS server, or fix the VPN / PMTUD so that the path MTU is calculated correctly. You can't fix that by changing attributes.

--
Matthew
-
List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Calister.winfield%40sky.uk%7C3aa9370e68c44f72d07208da0d71b807%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637837079911260262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wHIVYDpAslhU%2BoCGoK8Klft8GR9NWjHU%2FitXnRaQZNI%3D&reserved=0
-
List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Calister.winfield%40sky.uk%7C3aa9370e68c44f72d07208da0d71b807%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637837079911260262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wHIVYDpAslhU%2BoCGoK8Klft8GR9NWjHU%2FitXnRaQZNI%3D&reserved=0
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing at sky.uk. Thank you
--------------------------------------------------------------------
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD


More information about the Freeradius-Users mailing list