[ previous ] [ next ] [ threads ]
 
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] MTU fragmentation problem
 Date:  Wed, 29 Aug 2007 08:45:42 -0700
Søren Vanggaard Jensen wrote:
>  
> I have a lot of problem regarding MTU and fragmentation in my Monowall
> setup. Im currently running version 1.3b4
>  
> WAN MTU is default 1500
>  
> I see the following in my firewall log:
>  
>  
> Time Interface source Destination proto    
>  
> 09:54:48.343646 WAN MYWANIP SOME WEBSITE, type unreach/needfrag ICMP
>  
>  
>  
> I've tried to explicit. allow ICMP on the WAN interface - which does not
> make a difference.
> Also every rule (LAN/WAN) allows fragmented packages. Any idea whats going
> on?

It doesn't matter whether you permit fragmented packets, the DON'T FRAG
bit is set -- which is how path MTU discovery works in TCP/IP.

You need to enable ICMP need-frag error messages from your internal
hosts to external hosts.

- M