PROBLEM:
Some sites don't work with vuurmuur / SNAT when the router uses pppoe.
(For example microsoft.com)
REASON:
The standard defines a MTU value of 1500 bytes for ethernet frames.
When people use pppoe to connect their provider they have to limit
their MTU to 1492 because of the 8 bytes for pppoe header information.
When a router A sends a packet to router B which can't handle packages
of that size (maybe because of pppoe), router B answers the sender with an
ICMP 'Destination unreachable: Fragmentation needed, but DF set.' message.
The sender understands this and shrinks its packages to the specified size.
Unfortunately router A could be behind a firewall that blocks these ICMP
packages. The sender will never get informed to shrink its packages accordingly
and all packages get lost.
FIX
MSS Clamping. The Maximum segment size (MSS) is the largest amount of data,
specified in bytes, that TCP is willing to send in a single segment. Typically the MSS
is negotiated using the MSS option when the TCP connection is established. When
using a MSS value of 1452 and adding the TCP and IP headers (40 Bytes) we are
at a package size of 1492 what exactly fits through the pppoe connection. This can
automatically be done using iptables command:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
FURTHER INFORMATION
http://www.linux.com/base/ldp/howto/IP-Masquerade-HOWTO/mtu-issues.html
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
man iptables
