Stephen Hemminger wrote: > Then get a packet trace of a failing session with tcpdump. You may need > to get two, one > one the client and one on the server to be able to see which packet > isn't getting past the > bridge. I only saw half of this thread (Chris' mails haven't made it to the list yet), but in case you're using bridge-netfilter and conntrack, its most likely because of conntrack fragmentation changes in 2.6.16. Conntrack defragments packets, but relies on the IP layer to do the refragmentation now. With purely bridged traffic, the packets don't go through the IP layer, so they exceed the MTU of the outgoing bridge port. 2.6.16.6 will include a fix for this problem: [patch 06/22] NETFILTER: Fix fragmentation issues with bridge netfilter
