> Just to clarify my understanding... The LAN has an MTU of 1500, however
> the router's smaller MTU means that the MTU for a communication from the
> LAN to the outside world is limited by the router. Generally speaking, the
> MTU must be constant end-to-end.
There's a static MTU attached to each interface and typically it is
1500 bytes, although it can be less say in the case of ppp (ADSL being
an exmaple of that). More specifically the optimum MTU for a route is
the smallest MTU along that route. Up to recently it hasn't been an
issue as most dialup users (one end of a route) were using 1500 or
lower (eg 576) but more recently links such as ADSL (for LANs
specifically) and too strict firewalls cause major problems.
Quote:> So the protocol to set this is PMTUD, hence the need for that to get
> through the firewall. Does PMTUD run on a per connection basis, or just
> once on host startup? Does PMTUD override static MTU settings?
Path MTU Discovery is a technique to discover that smallest MTU along
a route, it doesn't change the MTU on your interface. The technique
involves sending a packet as normal with the DF flag set, and if some
hop along the way cannot handle that size packet then an ICMP (type 3
code 4) is sent back. If the client receives the icmp then it
re-transmits using a smaller packet.
The MTU discovered from PMTUD is calculated on a per connection basis,
so a subsequent connection will go through it again.
In the DF set but firewall blocking all icmp case then timouts will
occur if a MTU smaller then the client is involved. In the non DF
case then fragmentation (slow transfers) will occur if a smaller MTU
Reducing the MTU on the workstation is fine to test the connection.
Quote:> I do not fancy setting the MTU on every workstation, and I guess if PMTUD
> worked, I wouldn't have to do that? And if I can't get the firewall to
> allow PMTUD through, I should be able to bodge things by changing the MTU
> on my LAN hosts.
There's a couple of issues here, one, the DF flag (needed for PMTUD) may
not be set by the client (workstation) so what happens is your ADSL
router has to do twice as much work, slowing transfers or timing out
the client, two, what MTU size do you set on the workstation, while the
ADSL MTU is over 1400, other hops in a route maybe less. This can show
up if things like VPNs are involved.
Quote:> Is there any way that I can test whether PMTUD is working or not, given the
> intermittent nature of the connectivity problems?
ping is you best utility. From the workstation use ping, supply the
dont frangent flag and supply a size option. Note that the size is not
including the icmp header (1500 is ping payload 1472 IIRC).
Quote:> Any errors in the above gratefully received... :)
The best option is to allow icmp type 3 code 4 back to your
workstations through the firewall and have the workstation enable
DF, While the clampMSS option works fine, it only works for TCP (and
it's really a hack).