Hello!
[I hope this is the correct list, if not, please tell me where to ask]
The following scenario:
Linux-client <-- Ethernet --> Linux-router <-- PPPoE --> Internet.
Linux-client has MTU==1500, so the MSS is 1460.
Linux-router has MTU==1500 on eth0 and MTU=1492 on ppp0.
The MSS is set to 1452 via pppoe command line.
My question: May the MSS on ppp0 be 1460? Imho not, as
RFC 879 defines the MSS as MTU-40, which would be 1452.
But tcpdump says 1460 on ppp0.
On another box the MTU is set to 1460 and I still see packets
with MSS 1460. Is this correct?
Should not the Linux-router send the client a packet ICMP type 3,
subtype 4, Frag needed, but DF-Bit set?
I ask htis, because of a problem I have on the first box:
If the clients have a mtu of 1500, theycannot connect
to some servers and get timeouts.
The firewall was tested with iptables of (only MASQUERADE on), so that
all icmp packets are allowed.
Thank you for any hint!
Nico
--
Keep it simple & stupid, use what's available.
Please use pgp encryption: 8D0E 27A4 is my id.
http://nico.schotteli.us | http://linux.schottelius.org
from my shorewall.conf.
-----------------
#
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to
PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface's MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
CLAMPMSS=1412
--------------------
see also:
http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html
Thanks for the hints Florian, but still there are open questions:
Florian Attenberger [Thu, Apr 07, 2005 at 07:33:09PM +0200]:
> [...]
> # [From the kernel help:
> #
> # This option adds a `TCPMSS' target, which allows you to alter the
> # MSS value of TCP SYN packets, to control the maximum size for that
> # connection (usually limiting it to your outgoing interface's MTU
> # minus 40).
The MTU is 1460 or 1492 in tested cases. This means on ppp0, TCPMSS
should be 1420 or maximum of 1452. Why do I see 1460 on the interface?
> # This is used to overcome criminally braindead ISPs or servers which
> # block ICMP Fragmentation Needed packets.
That's clear to me, there are sites out there, debatting that problem.
But:
- Should not _my_ Linux-router tell _my_ client that the mtu choosen
is too big?
- On the tested connections _all_ icmp types were allowed (disabled iptables)
- As far as I can see, the routers between the two hosts
don't drop the generated icmp-packets
The first of the questions was the reason I choosed this ML, because I
was wondering why my client does not get the DF-Bit-set, but frag-needed
icmp-message from the linux-router.
Or did I unterstand the technique wrong?
Greetings,
Nico
--
Keep it simple & stupid, use what's available.
Please use pgp encryption: 8D0E 27A4 is my id.
http://nico.schotteli.us | http://linux.schottelius.org