Although the pppoe man page recommends an MTU of 1412 for machines behind a
firewall on which pppoe is running, I don't have control over all machines on
the LAN. I rely therefore on the pppoe MSS clamping feature which by default is
activated by the script /etc/ppp/ip-up.d/0clampmss. This seems to work for all
internet servers, but for a local machine serving to the internet using port
forwarding (from machines on which I cannot control MTU size) some large packets
are apparently not getting through. It's as if the MSS clamping only works in
one direction, internet to local and not vice versa, at least for the failing
protocol. This seems to be my root problem.
The failing server is using what I presume is a tunneling protocol, VNC, but I
don't know if that's a factor. It's also not clear yet where the packets are
getting blocked and I cannot easily find out at the moment.
I don't know how or if a VNC server behind a firewall would normally negotiate
MTU size with a client. I would guess that the server MTU size has to be set
low enough handle all potential clients, or else ICMP would have to be forwarded
to the server (which is not an option in my case). Again, setting the VNC
server MTU size is also not an option.
As an attempted solution (or workaround) I have set all NIC interfaces on the
firewall machine to an MTU size of 1452, but this seems to render MSS clamping
nonfunctional unless I also set the ppp0 MTU to 1452. The pppoe man page,
however, claims that "For best results, you must give pppd an mtu option of
1492." In addition, I have noticed that pppoe sets an MTU size of 1492
regardless of what I specify in /etc/ppp/peers/dsl-provider or in
/etc/ppp/options. Thus, the recommended MTU value seems to be enforced in
Debian, possibly hard-coded. These observations make me reluctant to change it,
and in addition I don't know of a clean way to do so other than modifying
/sbin/pon directly, which seems like a hack.
My questions are the following:
-is this the right or best approach for local PCs behind a firewall on which the
MTU size cannot be modified? (Or is there no good solution?)
-What are the practical implications of lowering the ppp MTU size below 1492?
The man page only makes a vague reference to "problems with excessively-large
frames."
-Assuming the ppp MTU size must change, is there are better way to do so than
modifying pon?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
