In a configuration like ( with monowall on soekris hardware, default conf, only traffic shaper
enabled)


PPPoE WAN link (MTU 1492)   -- monowall -- LAN hosts (MTU 1500)


If a lan host try to send to the internet an IP packet of 1500 bytes (including the ip header of
course),
thus using its MTU available, and also it sets in the header the DF (don't fragment bit), monowall,
during routing
should generate and ICMP type 3 "fragmentation required but DF set" due to the impossibility
to send such packet over the wan link ( because of the lower MTU of 1492 in comparison to LAN ).
But that seems to not happen, monowall doesn't send to the lan host such icmp error message,
breaking path mtu discovery, thus leading to a communication stall.

ie. from a lan host, windows xp

"ping -n 1 -f -l 1466 www.google.com"

doesn't get replies, nor ICMP req fragmentation from monowall as
expected, because it send packets bigger than wan mtu ( 1466 payload + 8 icmp
header + 20 ip header = 1494 > 1492 pppoe mtu)

This could become a problem if you have a service behind the firewall  ( like web server ) that
generate big packets
with df set, in order to improve internet performance (yes, a workaround is to lower mtu on lan host
or disabling
df bit, but it is still an ugly workaround).

Is that a problem of my particular configuration, a known one or a freebsd related one?


thanks for the help