MTU, PMTU & DF flag
Guus Sliepen
guus at tinc-vpn.org
Fri May 15 00:37:44 CEST 2015
On Thu, May 14, 2015 at 10:12:40AM +0200, Florent B wrote:
> > I have no experience with Ubuntu, but I find it hard to believe it would
> > block ICMP Fragmentation Needed packets out of the box.
>
> I can confirm you that this is the case. Ubuntu ignores those ICMP
> packets... :( (rp_filter settings)
>
> You can see it here : https://mellowd.co.uk/ccie/?p=5662
Ok... well that's just silly then.
> > Can you check what tinc thinks the PMTU is in each of these cases? With
> > tinc 1.0.24, you do "tincd -n <netname> -kUSR2", and it will send a list
> > of nodes to the syslog. The MTU should be in it.
>
> For the 3 servers, Tinc reports 1459 as pmtu for each other.
Ok. And for the client?
> Something strange, why pmtu for the MYSELF host is 1518 ? Nowhere I have
> network with MTU larger than 1500...
There is no MTU limitation for a node talking to itself. So tinc just
lists the maximum it itself supports, which is 1518.
> > But things might be different if your traffic inside the VPN has VLAN
> > tags or is encapsulated in some other way...
>
> It can be that : I have VLAN over Tinc. But why all is working fine for
> Windows&MacOS clients, whatever the situation ?
Well, apparently because of the rp_filter setting on Ubuntu. You can try
setting TCPOnly = yes in tinc.conf on the load balancer. This will
decrease performance, but then the problem you have with the Ubuntu
client should go away. Another thing that might help is to manually
configure the MTU of the tun interface on the load balancer (just add ip
link set dev $INTERFACE mtu 1400 to tinc-up); this will cause the kernel
to generate the ICMP Fragmentation Needed packets, and that might make a
difference for VLAN tagged traffic.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150515/c25105b2/attachment.sig>
More information about the tinc
mailing list