[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

questions about pppoe MTU settings

Although the pppoe man page recommends an MTU of 1412 for machines behind a firewall on which pppoe is running, I don't have control over all machines on the LAN. I rely therefore on the pppoe MSS clamping feature which by default is activated by the script /etc/ppp/ip-up.d/0clampmss. This seems to work for all internet servers, but for a local machine serving to the internet using port forwarding (from machines on which I cannot control MTU size) some large packets are apparently not getting through. It's as if the MSS clamping only works in one direction, internet to local and not vice versa, at least for the failing protocol. This seems to be my root problem.
The failing server is using what I presume is a tunneling protocol, VNC, but I don't know if that's a factor. It's also not clear yet where the packets are getting blocked and I cannot easily find out at the moment.
I don't know how or if a VNC server behind a firewall would normally negotiate MTU size with a client. I would guess that the server MTU size has to be set low enough handle all potential clients, or else ICMP would have to be forwarded to the server (which is not an option in my case). Again, setting the VNC server MTU size is also not an option.
As an attempted solution (or workaround) I have set all NIC interfaces on the firewall machine to an MTU size of 1452, but this seems to render MSS clamping nonfunctional unless I also set the ppp0 MTU to 1452. The pppoe man page, however, claims that "For best results, you must give pppd an mtu option of 1492." In addition, I have noticed that pppoe sets an MTU size of 1492 regardless of what I specify in /etc/ppp/peers/dsl-provider or in /etc/ppp/options. Thus, the recommended MTU value seems to be enforced in Debian, possibly hard-coded. These observations make me reluctant to change it, and in addition I don't know of a clean way to do so other than modifying /sbin/pon directly, which seems like a hack. 

My questions are the following:
-is this the right or best approach for local PCs behind a firewall on which the MTU size cannot be modified? (Or is there no good solution?)
-What are the practical implications of lowering the ppp MTU size below 1492? The man page only makes a vague reference to "problems with excessively-large frames."
-Assuming the ppp MTU size must change, is there are better way to do so than modifying pon?
Reply to: