iptables clamp-mss-to-pmtu

[antdes45]

Hi,

I'm on ADSL and Netalyzr claims I can't send fragmented UDP traffic, that is, until I move the clamp-mss-to-pmtu rule to the mangle table.

I have the following firewall-start script which fixes the problem:

#!/bin/sh
iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS -o ppp0 --clamp-mss-to-pmtu

OpenWRT decided to move the rule to the mangle table. There are a few OpenWRT discussions about this. Now, putting the rule in FORWARD or POSTROUTING seems to be a great debate, but in my case, fixed some things.

https://lists.openwrt.org/pipermail/openwrt-devel/2012-February/014129.html

Netalyzr is also claiming that ICMP too big packets are blocked, which could explain why the fix is necessary to start with. Is there a ICMP blocking rule on Asuswrt or (most probably) my ISP is blocking them?

 

[antdes45]

Sounds more like the rules should be in the mangle table, but still in FORWARD.

'-t mangle' should be added to lines 2584, 2586, 2592, 2594 of /release/src/router/rc/firewall.c
explanations already in the OpenWRT and DDWRT support tickets.

http://svn.dd-wrt.com/ticket/3397
https://dev.openwrt.org/ticket/5890

 

[antdes45]

Thanks Merlin, saw the commit. I'm testing the latest dd-wrt beta build until next release since it's got different QoS queueing models. I'm quite disappointed so far.