[Samba] Samba over bridged ethernet VPN

Daniel Bye danielby at slightlystrange.org
Tue Sep 30 22:07:25 GMT 2008

Thanks for your reply, Wes.

On Mon, Sep 29, 2008 at 04:45:38PM -0400, Wes Deviers wrote:
> I've had problems similar to this with OpenVPN when path MTU discovery was 
> broken.  In theory it should never break, but there have been a few times 
> when I've had to tweak it by hand.  The general theory, if you're unfamiliar,
> is that different networking media have different Maximum Transmission Units 
> (MTU) which is the largest size an L2 chunk can be and still be transported.
> In Ethernet, it's typically 1500 bytes (+ some overhead, the actual max is 
> 1514).  

It did occur to me, after I'd posted, that this may be part of the explanation.

> Your OVPN link is probably using 1500 as well.  But OpenVPN wraps some header 
> information around the Ethernet frame to deliver it correctly; what can happen
> is that the payload size can be larger that 1500 on the VPN link, forcing the 
> entire frame to be dropped.

Indeed, I am using the default MTU of 1500. 

> A quick way to diagnose this..if you ssh and do commands with minimal output, 
> it will work fine.  If you do a huge directory listing, it will spaz and die 
> (because you go from small to large packets).
> Have you seen anything like that?  Can you give us a quick breakdown of how 
> the routing looks between sites?

Well, a long directory listing doesn't actually cause terminal death (as it
were), but it does stutter somewhat...

As for the routing between sites, if I understand correctly what you're
asking, then it's simply a small LAN in the office attached via a commodity
ADSL modem, with Samba and OpenVPN running on the same host. OpenVPN is
running in bridged Ethernet mode, and assigns IP addresses to connecting 
clients. Therefore, effectively there is no routing between sites, as far
as our CIFS/SMB clients are concerned. However, the physical routing is
essentially as you'd expect - the office is on a standard domestic grade
ADSL link, as are two of the remote users. The other remote users and I
are connected over cable, and all are subject to our upstream providers'
routing policies.

I'm going to try fiddling with the MTU/fragment/mssfix settings in my
OpenVPN configs, and see how we get on.

Thanks again, your help is appreciated.

Daniel Bye
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20080930/d8300773/attachment.bin

More information about the samba mailing list