[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Change MTU for forwarded packets

George Borisov wrote:
> Matt Ryan wrote:
>> Only if you have pMTU running successfully end-to-end. That requires
>> ICMP working end-to-end which I think I read was a problem with your
>> set-up...
> 
> What's the best way to test this sort of stuff?
> 
> I must admit I am still confused. I reduced the MTU on both
> internal and external interfaces of the firewall, but I am still
> having problems. (Client PCs in SA have trouble connecting to the
> Exchange server in the UK; reducing the MTU on the client PC
> fixed it.)
> 
> In addition, reducing the MTU on the internal interface broke
> access to some websites (e.g. microsoft.com :-p) How does that
> one work? 8-/

Microsoft is notorious for acting badly in the scenario where the
end-to-end MTU is less than 1500 bytes. That said, poor practise on
setting up firewall rules (blocking all ICMP) is just as bad as pMTU
(http://en.wikipedia.org/wiki/PMTU) then also fails. To avoid any
problems  you need to have a end-to-end connection that can manage 1500
bytes packets. If you can't do that then you need to either use a
tunnelling technique that allows transparent segmentation/reassembly of
packets that exceed MTU (Cisco routers will allow this with GRE and
perhaps L2TPv3) or lower the MTU on all clients. Testing using 'ping -s
1500 <dest_ip>' is the best option to check everything will work.


Matt.
Reply to: