George Borisov a écrit :
Pascal Hambourg wrote:
Yes, if the firewall is a router (not a bridge). You just set the
desired MTU on the output interface.
This confuses me a little.
If by outgoing you mean the external interface on my firewall
Yes, that's what I mean.
then why did changing the MTU on the LAN computers fix the problem?
Probably because the LAN hosts won't send packets bigger than their MTU.
Besides, they will use that local MTU to compute the MSS they send to
the other hosts when establishing a TCP connection, so the other hosts
won't send packets bigger than the transmitted MSS + TCP header size.
When you reduce the firewall's external interface MTU, packets forwarded
from a LAN host to the outside bigger than the MTU (plus IPSec the
encapsulation) will be fragmented if they have the DF (Don't Fragment)
flag cleared, or discarded with an ICMP fragmentation-needed error
message otherwise. However it won't change the TCP MSS transmitted by
LAN hosts unless they use Path MTU Discovery (PMTU).
Surely the MTU should be set on the internal interface, so as to
force all of the LAN clients to send smaller packets?
If you mean the firewall's internal interface, I'm afraid this would be
ineffective, because it won't force the LAN hosts to send smaller
packets : the T in MTU stands for "Transmit", which applies to packets
transmitted (either locally generated or forwarded) by the local host on
this interface.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
