I don't have an instance of a firewall or netfilter between local routes within my local network. I have, sorta, the opposite -- a 'bridge' to bind them to look like 1 local network, which pretty much ignores the mtu size. It seems inefficient thought it might become necessary to use a firewall between 2 internal networks just to manage the mtu sizes between the two networks, arg!, but it is looking like that may be the only way. On 2022/11/29 04:19, Erwin Van de Velde wrote:
Hi,
Normally you would see ICMP "message too big" errors on the network. Sometimes those ICMP messages get blocked on a firewall and fail to reach their destination. Make sure that RELATED connections are allowed by any stateful firewalls in the network.
I know TCP MSS can be set per route, but I usually stick to TCP MSS clamping via netfilter. https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.mtu-mss.html gives a good example, but use POSTROUTING instead of FORWARDING when using those rules on the endpoints. If all else fails, the --set-mss option can be used to test even lower values and stick a hard coded value on it to validate your assumptions.
Kind regards, Erwin
On Tue, Nov 29, 2022 at 1:47 AM L A Walsh <suse@tlinx.org <mailto:suse@tlinx.org>> wrote:
I use a 9k mtu on my 10gb network @ home -- only exists between my desktop & my server where it can be worthwhile.
Bridged to that NW is a 1gb, 1.5k mtu network use for my home IOT (Internet of Things) This works for administrative traffic, for the most part, but in gaining some new 'things', some wish to talk to a media/file server on the higher BW net.
Someone referred me to possibly using tcp mss clamping, though they were using it in the context of a VPN tunnel which I'm not using.
I'm wondering if it is as simple as installing routes with mtu clamping so hosts wanting(needing) to goto a smaller mtu would take the appropriate network and talk with smaller packets. Seems there maybe something missing there since some traffic can be ip-level w/no tcp in play (ex: dns). Doesn't seem that would really work too well...
Has anyone had any experience w/this type of setup?
tnx!