I was debugging a very strange issue regarding TLS handshake failures and have concluded this seems to have failed due to Path MTU Discovery not being honored by the firewalla gold.
Has anyone else run into this issue? It seems to me that enabling the following sysctl value would allow for PMTU to be honored for forwarded traffic, rather than just flows sourced to/from the firewalla itself:
ip_forward_use_pmtu - BOOLEAN By default we don't trust protocol path MTUs while forwarding because they could be easily forged and can lead to unwanted fragmentation by the router. You only need to enable this if you have user-space software which tries to discover path mtus by itself and depends on the kernel honoring this information. This is normally not the case. Default: 0 (disabled) Possible values: 0 - disabled 1 - enabled
Anyone else running into this issue? While PMTU issues are seen alot less lately than in the past they do still occur (thank you IPv6 for the min 1280 MTU requirement)
I notice that there is a rule that will clamp all tcp MSS to the PMTU, which will be 1500 by default - so this is essentially just clamping the MSS for all TCP to 1460 bytes, since this is out MTU and the firewalla will not honor any ICMP type3 code 4 (unreachable fragementation needed) packets for PMTU for forwarded traffic.
Can we get this enabled by default? This seems like a rather safe setting IMHO, and I can't imagine too many security issues with spoofed PMTU messages, but it is possible I suppose.
Please sign in to leave a comment.