Hi Stuart, I have huge regard for you and all you contribute to OpenBSD and the community Im going to clarify what I meant and what my experience with PMTU and constrained MTUs behind NAT, My humble experience is that if we have a constrained MTU behind a NAT Path MTU discovery from the server to the client fails because
[website]--- public IP MTU 1500 bytes ----------[firewall/Nat] private network MTU 1492 bytes-client so while MTU discovery may work outbound...(from client to the website) the public website to the public IP has no way to discover the constrained PMTU behind the nat... This corner case was discovered when I setup My ISP initially and I had not many IP addresses many moons ago It would be rare for a client behind a NAT to have a smaller MTU than their public IP internet connection. Is my reasoning and analysis here correct ? Regarding my comment > PMTU cannot properly account for underlay restrictions Inside a VPN what I meant was, that if you set an MTU of 1500 on a VPN Tunnel interface but in sending 1500 Bytes in an IP packet across the tunnel it requires a the VPN encapsulated Packet + a Fragment Packet to be sent also, (on the underlay interface) the Router on the VPN wont sent a Fragment needed IP message to the client because the MTU of the Tunnel was not exceeded (but the MTU on the underlay was exceeded) I hope the clarifications helps and that im right or at least that I learn something new :) Thanks Tom Smyth On Sun, 15 May 2022 at 19:37, Stuart Henderson <[email protected]> wrote: > > On 2022-05-15, Tom Smyth <[email protected]> wrote: > > IP fragments on internet are avoided generally through PMTU discovery (mtu > > path > > discovery) but > > PMTU does not work beyond a Nat (if a smaller MTU interface exists > > behind a NAT then the smaller > > MTU will not be discovered. > > That's not right, NAT doesn't break PMTU detection. > > > PMTU cannot properly account for underlay restrictions Inside a VPN > > Depends on the VPN type. For VPNs using a tunnel device (openvpn, > WireGuard, gif/gre/l2tp etc, maybe route-based IPsec) then PMTU works > like it would on another network type. Not nornally for flow-based IPsec > though as the MTU is taken from the route (but it can be made to work > with a dummy interface covering the VPN range with a lower MTU set in > it). > > -- Kindest regards, Tom Smyth.
