mario.verbelen.org

If you have ever broken websites or stalling traffic
Connections works, telnet works, ssh works ... but you cant go to some websites or vpn's or whatever odd behavior
Well the problem can be PMTU (Path MTU)

I had this problem last year when I switched to a new provider

My setup is a dsl connection with a Linux firewall for the home network
Some sites are broken and some of them are working if you are lucky
After doing some small debugging I saw that it was a MTU issue

Normally the default MTU size is 1500, but for a pppoe connection it is downscaled to 1492
My first thought was simply lower the MTU on the client
Because for some reason my firewall is blocking the icmp message (mss) to the client.
After some testing the working value (with no fragmentation) is 1472 while the pppoe interface is using 1492.
Lower down the client MTU to 1472 is a great result

Now that I had some more time, I had to investigate this issue
(I don't want to change MTU on all my guests there PC)

I discovered (in the man page) that the simplest way is to add a iptables rule and allow this mss package

So if you have pppoe and a iptables firewall ...
I just added this rule to my firewall that wil forward this mss message

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

I hope I can help some ppl with this blog