George Borisov a écrit :
Pascal Hambourg wrote:Yes, if the firewall is a router (not a bridge). You just set the desired MTU on the output interface.This confuses me a little. If by outgoing you mean the external interface on my firewall
Yes, that's what I mean.
then why did changing the MTU on the LAN computers fix the problem?
Probably because the LAN hosts won't send packets bigger than their MTU. Besides, they will use that local MTU to compute the MSS they send to the other hosts when establishing a TCP connection, so the other hosts won't send packets bigger than the transmitted MSS + TCP header size.
When you reduce the firewall's external interface MTU, packets forwarded from a LAN host to the outside bigger than the MTU (plus IPSec the encapsulation) will be fragmented if they have the DF (Don't Fragment) flag cleared, or discarded with an ICMP fragmentation-needed error message otherwise. However it won't change the TCP MSS transmitted by LAN hosts unless they use Path MTU Discovery (PMTU).
Surely the MTU should be set on the internal interface, so as to force all of the LAN clients to send smaller packets?
If you mean the firewall's internal interface, I'm afraid this would be ineffective, because it won't force the LAN hosts to send smaller packets : the T in MTU stands for "Transmit", which applies to packets transmitted (either locally generated or forwarded) by the local host on this interface.