I have a linux (openSuse Leap 15.0) computer that's connected to a cable modem using PPoE (hopefully not relevant to this. EDIT the ppp0 interface has an mtu of 1492 but the eth0 interface it is "bound" to - I don't understand exactly how this works - has an mtu of 1500) on ppp0/eth0 (external) and with a local network (10.1.0.0/8) on eth1 (internal). EDIT It's running firewalld with masquerading enabled.
I'm also running named and dchpd on the local network and have a couple of wifi routers connected, a printer, etc.
Anyway, everything works perfectly if MTU is set to 1400. But if MTU is set to 1500 on a machine connected to the local network, things fail. In particular, requesting a web page will hang and, if I look at the traffic with wireshark, only part of the response to the HTTP request is being returned (the last part, as it happens, for the example I looked at).
This would still be OK - I can lower MTU on most connected devices - but I need to connect an un-rooted android phone. The only way I can get this to work currently is by using a wifi router with its own DHCP (ie its own little network) and adjusting MTU in the router settings.
My impression, then, is that I'm missing something in the rules above to handle fragments. Yet when I read around it seems like stateful connections should handle fragments correctly. I've also tried duplicating the rules with -f
but it appeared to have no effect.
How do I make this work? More exactly, if the above is correct, how do I get iptables to forward fragments? Thanks.
EDIT Or, if this is a better way, why isn't anything that connects to the network doing PMTUD correctly? No ICMP messages are blocked by the firewall. If I run ping
it works fine (and I see ICMP in wireshark). If I do an HTTP request, I see no ICMP message, which worries me. Currently I am trying to find a way to test whether fragmentation messages are being blocked somewhere else.
EDIT Had eth0 and eth1 swapped in the text. Fixed now.