[ previous ] [ next ] [ threads ]
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] MTU fragmentation problem
 Date:  Wed, 29 Aug 2007 08:45:42 -0700
Søren Vanggaard Jensen wrote:
> I have a lot of problem regarding MTU and fragmentation in my Monowall
> setup. Im currently running version 1.3b4
> WAN MTU is default 1500
> I see the following in my firewall log:
> Time Interface source Destination proto    
> 09:54:48.343646 WAN MYWANIP SOME WEBSITE, type unreach/needfrag ICMP
> I've tried to explicit. allow ICMP on the WAN interface - which does not
> make a difference.
> Also every rule (LAN/WAN) allows fragmented packages. Any idea whats going
> on?

It doesn't matter whether you permit fragmented packets, the DON'T FRAG
bit is set -- which is how path MTU discovery works in TCP/IP.

You need to enable ICMP need-frag error messages from your internal
hosts to external hosts.

- M