Checkpoint and PPPOE

Well this was a fun task.  Rolling a Checkpoint F/W R77.30 out connected to a PPPOE circuit.

After configuring the PPPOE interface and binding it to a physical interface I plugged in and the circuit came up. I applied a basic best practice rule base and was able to ping IP addresses like 8.8.8.8 as expected and therefore thought we were good to go.  Boy was I wrong.  Turns out DNS lookups were not working at all, no drops shown in the log and the DNS servers were set right.

I did some research and it turns out PPPOE can't be accelerated and it SecureXL, fair enough disable SecureXL and reboot, all should be well. Wrong again - some more digging and I noticed that

fw ctl debug -m fw + drop

Shows drops.... great so now we have an MTU problem, so I checked the MTU of the PPPOE circuit (1492) and confirmed this by running from a workstation:

ping -f - l 1464 www.google.com

Add 28 bytes for the packet overhead to 1464 = 1492.

Right so I set the MTU on the F/W interfaces and on select desktops using the commands

Find the correct interface and check mtu:

netsh interface ipv4 show subinterface

Set the new mtu:

netsh interface ipv4 set subinterface "Ethernet" mtu=1492 state=pesistent

Hey presto things started to work although I did have a syn-ack issue during this process as well causing me to turn off "drop out of state TCP/ICMP packets" in global properties-->stateful inspection.  I believe however this was a timing issue and may now be ok post MTU remediation.  I wll revisit this

This is all very well but how did the el-cheapo device the Checkpoint replaced ever work with the MTu set to 1500 on workstations?  Turns out it had a great rule base allowing any-->any-->all-->accept. Now as noted I had set up a basic rule base using best practices including a final drop rule and stealth the firewall rule.

I then discovered after reading a lot of articles (and this is summerised significantly below), that when a device attempts to transmit over an encapsulated circuit like PPPOE, PPP & PPTP with a larger MTU, the upstream device will reject it but also will respond with an ICMP packet to attempt to renegotiate a smaller MTU (MSS).  My rule base blocked such traffic.  So adding a simple allow ICMP rule in fixes it - of course if I have in global properties allow ICMP before then this would work too.

This post is in draft - I wanted to knock out the basics while it was fresh in my head. I will work on it to flesh it out in time.

Posted on Aug 09, 2018.