On 2022-05-15, Tom Smyth <[email protected]> wrote: > IP fragments on internet are avoided generally through PMTU discovery (mtu > path > discovery) but > PMTU does not work beyond a Nat (if a smaller MTU interface exists > behind a NAT then the smaller > MTU will not be discovered.
That's not right, NAT doesn't break PMTU detection. > PMTU cannot properly account for underlay restrictions Inside a VPN Depends on the VPN type. For VPNs using a tunnel device (openvpn, WireGuard, gif/gre/l2tp etc, maybe route-based IPsec) then PMTU works like it would on another network type. Not nornally for flow-based IPsec though as the MTU is taken from the route (but it can be made to work with a dummy interface covering the VPN range with a lower MTU set in it).
