[Dnsmasq-discuss] Re: using DHCP to set clients' MTU

Peter webwiz at pl.net
Fri Oct 31 06:47:14 GMT 2008

Apologies for digging up this thread, but its exactly my issue, and after nearly 12 hours researching it, im jaded to the point of madness.

Same deal, theres a modem running off a pppoa dsl link (NZ), and the modem has a pppoe - pppoa pass through feature ( Draytek Vigor series) quite innovative actually, not like the half bridge hack implementations floating around the pppoa world.

Anyway, the gateway/firewall box is debian etch and is running kernal mode pppoe to log into the modem. Using pppoeconf to create the ppp0 link is all good, except LAN clients struggle with http-post requests over a certain size, and email sends fail over a certain size. All classic mss issues. Reducing the clients mtu to 1492 solves the problem but not the problem. 

I havent yet heard back from the pppoeconf package maintainers, but for whatever reason the mss clamp netfilter rule that is installed by pppoeconf does not work for this box. I dont know why. Ive taken your advice and made sure that the firewall rule allows 

  $IPT -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
well on top of the rules which were already there:

  $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT

so i feel thats fairly well covered it!

A typical XP client will be able to ping packet sizes up to 1464 bytes OK, but those sized between 1465 and 1472 will time out, and those 1473 and over will return Needs fragment but DF set.

The actual rule installed under /etc/ppp/ip-up.d/0clampmss is:

iptables -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp  \
  --tcp-flags SYN,RST SYN -m tcpmss --mss 1412 -j TCPMSS --clamp-mss-to-pmtu

and im using:


to do the NAT.

Unless i hear back from my debian pppoeconf bugreport, im cooked. However a local LUG user pointed me toward the idea of using a dhcp server to tell clients to use a mtu of 1492, and while i am at it i can get around to implement issuing ip addresses per host mac address, which will work with the captive portal code ive written to do ip accounting primarily. And since im already using dnsmasq for the caching dns side of it, from the thread it seems dsnmasq will allow me to do both mtu and mac addresses.

So ill give this a go, but if either of you cracked the pppoe mss clamping problem, id be happy to hear about it.

I was really excited to get hold of one of these modems, because the only other option to us here in NZ (sim to UK) is half bridge implementations which arent totally stable. I feel im getting close, and sure as heck know more about TCP than i did yesterday morning ;-)



More information about the Dnsmasq-discuss mailing list