Søren Vanggaard Jensen wrote:
>  
> I have a lot of problem regarding MTU and fragmentation in my Monowall
> setup. Im currently running version 1.3b4
>  
> WAN MTU is default 1500
>  
> I see the following in my firewall log:
>  
>  
> Time Interface source Destination proto    
>  
> 09:54:48.343646 WAN MYWANIP SOME WEBSITE, type unreach/needfrag ICMP
>  
>  
>  
> I've tried to explicit. allow ICMP on the WAN interface - which does not
> make a difference.
> Also every rule (LAN/WAN) allows fragmented packages. Any idea whats going
> on?

It doesn't matter whether you permit fragmented packets, the DON'T FRAG
bit is set -- which is how path MTU discovery works in TCP/IP.

You need to enable ICMP need-frag error messages from your internal
hosts to external hosts.

- M