ICMP frag needed not forwarded to MSQ clients

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leonardo <p0q0b0d@gmail.com>
To: netfilter@lists.netfilter.org
Subject: ICMP frag needed not forwarded to MSQ clients
Date: Wed, 25 May 2005 10:17:00 +0200	[thread overview]
Message-ID: <3b1e6f48050525011730fa7e44@mail.gmail.com> (raw)

Hello to all!

My box does not forward ICMP Fragmentation needed packet to
its masqueraded clients.

Setup:
I have a box with 3 nics equipped with kernel 2.6.11 and iptables
1.2.11. This box has two gateways, and the net workflow is as follows:

eth0 <---> clients
eth1 <---> standard internet traffic
eth2 <---> VPN

Details:
Traffic on eth2 is masqueraded (required). The problem is that the
packets (MTU 1500) must be encapsulated in IPSEC packets at the next
hop where the MTU is the same, therefore the VPN server sends back
ICMP packet telling that need to frag. ICMP packets are received by my
box, but not forwarded to clients that continue to send 1500 bytes
packets. Therefore the VPN site does not open.

Is that a normal behavior? Should I add anything to iptables rules in
order to make it forwarding ICMP Frag needed packets?

Thank you very much!

Iptables on eth2,eth0:
Input,Output,Forward
- Policy ACCEPT (nothing else)
Only on eth2:
Nat
- POSTROUTING anywhere anywhere -j MASQUERADE

Current Workaround:
- ifconfig eth2 mtu 1400 (I don't like it! :)v
-- 
Leonardo Arena

next             reply	other threads:[~2005-05-25  8:17 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-25  8:17 Leonardo [this message]
     [not found] ` <200505251112.23022.98111@free.fr>
2005-05-25 11:23   ` ICMP frag needed not forwarded to MSQ clients Leonardo
2005-05-25 16:25 ` R. DuFresne
2005-05-26  7:25   ` Leonardo
2005-05-26 11:59     ` Jozsef Kadlecsik
2005-05-26 12:47       ` Leonardo
2005-05-26 13:09         ` Jozsef Kadlecsik
2005-05-26 14:09           ` Leonardo
2005-05-26 14:33             ` Jozsef Kadlecsik
     [not found]               ` <3b1e6f480505270006ea481be@mail.gmail.com>
2005-05-27  7:07                 ` Leonardo
2005-05-27  7:24                   ` Jozsef Kadlecsik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3b1e6f48050525011730fa7e44@mail.gmail.com \
    --to=p0q0b0d@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.