John Candlish <johncandl...@gmail.com> wrote: > Looking further at this it seems to be related to differing MSS values > for the ppp0, eth3 physical interfaces, and also the virtual interface > of the webserver in the DMZ. ... > I suppose that this can be tuned via the MTU of the effected > interfaces or by the MSS parameter of the shorewall configuration. > > What are the recommended best practices in this situation?
Not sure about best practices, but it's a well known problem in that PPPoE needs to add an additional (8 octet) header to the packet, so if the pack is already larger than MSS-8 octets long then you'll be over size. I think it's normal to specify MTU of 1492 for the PPP interface, and also specify (from memory, you'll need to check the docs) clamp_mss which will set a config which has the netfilter code alter any MSS values passing through to no more than the value specified. In principle, 1492 should be OK, but when I was looking this up the other day (for a Juniper device) I found people suggesting lower values (as lower as something like 1250) were needed - I think this is probably an "ISP config" thing. Just checking my home router (UK VDSL2, aka FTTC), I have mtu 1492 set in my PPP peer config, and "CLAMPMSS=Yes" in shorewall.conf. Interestingly, at work, I have CLAMPMSS=No and it seems to be working fine. Make that "had", I've just changed it to yes. ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
