Hello ! Windows 2000 Server drop icmp messages "fragmentation needed". I can only get stupid answers from Microsoft about routers who drop the packes - but the problem is Microsoft. So I add iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu To my Linux router. It works fine for outgoing traffic but not on incomming. Example: 1) Windows Client --- mss 1460 -> Linux box ---ppp mss 1452 ---> 2) Windows Client <-- mss 1460 -- Linux box <--ppp mss 1460 --- 3) Windows Client -- 1500 Bytes --> Linux box 4) Windows Client <-- icmp max 1492 Bytes -- Linux box 5) Windows Client -- 1500 Bytes --> Linux box 6) Windows Client <-- icmp max 1492 Bytes -- Linux box ... I guess the "clamp-mss-to-pmtu" hack only work for the destination network - or is that a bug ? The second packed comming from the ppp-IF go throu without change. One solutin is to reset the DF-Bit - but how ? The other way is always sutract 100-200 bytes from the mss iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:899 -j TCPMSS --set-mss 700 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 900:999 -j TCPMSS --set-mss 800 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1099 -j TCPMSS --set-mss 900 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1100:1199 -j TCPMSS --set-mss 1000 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1200:1299 -j TCPMSS --set-mss 1100 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1300:1399 -j TCPMSS --set-mss 1200 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400: -j TCPMSS --set-mss 1300 Any other idea ? Mit freundlichen Grüßen Holger Burmann
