[Ewrt-devel] pmtu patch

Tom Goetz
Mon Jun 21 13:51:10 PDT 2004

Irving Popovetsky wrote:

>Hi Tom, sorry for the slow response.
>It kindof scares me that you're changing the logic to clamp MSS to PMTU
>for ALL setups, not just PPPOE/MTU tweaked setups.   Is this okay to
>do?  Brandy?
>Another question:  for that ip-up function in pptpd.c you change the MSS
>again.  If it has already been set to --clamp-mss-to-pmtu, does that
>rule need to be flushed first or will it gracefully override?
I think the clamp MSS to PMTU is an improvement for all setups, due to 
he previlence of blackholes. If the MTU of the WRT54G is the limiting 
factor in any connection with the presence of a black hole, than TCP 
connections will fail. The firewall clamping MSS to PMTU replaces the 
desired, but not functioning PMTU discovery process. ISPs not allowing 
ICMPs to transit seems to becoming a common thing. Perhaps making this a 
configurable option or limiting it to firewall/router configs might suit 
you better.

It's my understanding that firewall rules are processed in order. The 
PPTPD rule is inserted above the original rule. Therefore it has 
precidence. This addressed a probelm I had while using PPTP to VPN into 
my home netwrok from work.

By the way there was still a bug in that version.

"%s -I FORWARD -i $1 -tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS --set-mss %d\n"

should be

"%s -I FORWARD -i $1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: 
-j TCPMSS --set-mss %d\n"

And in my current configuration, I have removed the -i partand made the 
rule global.

My current modified EWRT firmware is working well for me as a VPN 
router. I haven't made any further changes to it in a week or two. I'm 
distracted writing a journal application at the moment.


More information about the Ewrt-devel mailing list