asmfan wrote:thechief wrote:I think paaja has answered your question (as far as one can understand what you're saying). If you are not satisfied with the answers, then do your own testing with the setting on and off, and you will see what difference it makes.
I see that ping -f -l and with disabled "enforcement" is restricted to MRU/MTU settings in router. So what about hardcoded 1500 thechief? Able to understand the discussion above?
You are probably right that 1500 is not hardcoded, but I can't say for sure because I don't have the enforce option with my pppoa connection (it seems like it's always on for me)
The way I think it works is than the enforce will make an iptables command as shown below which you can see in FORWARD by telneting into your router and doing -
Code: Select all
iptables -L -vn
TCPMSS tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
I think toggling enforce on/off will add and remove that - but you need to test yourself.
What this does is catches the tcp syn and syn/ack packets heading out to ppp0 and modifies the maximum segment size field (MTU on ppp0 - 40) so that the other end of the tcp connection doesn't send packets any bigger than that.
You can also see that effects setting the MRU value has by checking the debug box , changing it/apply so that a new ppp is started and then running
showlog.sh
Which for me shows that the MRU specified is requested during ppp negotiation - and so becomes MTU on the other end.
Without the iptables mss clamping this is bad (assuming the ISP kit honors it) as it will make some websites (that block ICMP frag needed packets, have DF bit set and don't enable blackhole detection) inaccessible.
ifconfig
should show that MTU on ppp0 is set to this value also. In the case of routers MTU alone probably wouldn't cause problems - but unlike setting it on a PC it would only affect outbound packets.