Hi. I've had a bridged modem and OpenBSD gateway setup for years on a particular Australian ISP. I've never re-assembled packets and worried over MTU or fragments. Everything just worked ... Recently one of the companies I work for changed ISP. I swapped the relevant details on the gateway, hostname.pppoe0 and whatnot, and it seems that a significant portion of the web is inaccessible, most websites are accessible but many are not. DNS resolution seems fine for all domains and of the sites that won't work some of them will display a title in a browser on an internal client and that's it. Some of them will send all the html but ultimately not display. Most simply "time out" ... I've tred re-assembling packets but it doesn't help. I suspect I'm being sent fragmented packets with don't fragment set. Does this sound right?
If this is right, could I achieve anything by explicitly allowing ICMP (datagram too large messages) expecting that the upstream hosts will set path MTU accordingly or is this a wasted effort. Either way, should I start re-assembling packets and scrubbing incoming and ignoring the don't fragment bit with no-df ... match in all scrub (no-df) Best wishes.
