Path Mtu Discovery Processing - D-Link NetDefendOS User Manual

The NetDefend Firewall cannot act as the end-point in an MTU discovery message exchange.
NetDefendOS will only forward ICMP messages or generate messages indicating the acceptable
MTU of its own outgoing interface.
Path MTU discovery is always enabled by default for IPv6 on all NetDefendOS interfaces and will
not be discussed further in this section. For IPv4, it must be enabled as described next.
Enabling IPv4 MTU Discovery on a Service Object
MTU discovery is not enabled for IPv4 by default. Instead, it must be explicitly enabled on the
Service object associated with the IP Rule or IP Policy object that allows the connection. This is
done by enabling the following two properties of the Service object:
• Forward ICMP Errors
• Enable IPv4 Path MTU Discovery
The second property can only be enabled after the first property is enabled. The IP rule or IP
policy with which the service is used can be of any type except a FwdFast rule.
MTU Discovery Processing
To illustrate a typical path MTU discovery message exchange, consider a client computer trying
to connect to a server via a NetDefend Firewall and the public Internet as well as a router. This is
shown in the diagram below.
Assuming that MTU discovery has been enabled on the relevant NetDefendOS IP rule or IP policy,
the following sequence of events shows how MTU discovery would function:
1. The client tries to open a connection to the server via the firewall using a packet size of 1400
bytes. The packets sent have the DF (Don't Fragment) flag enabled.
2. NetDefendOS looks at the MTU property value for the interface object used for the next
hop. This is 1300 so the client's packet MTU is too high and fragmentation cannot be
performed.
Figure 3.1. Path MTU Discovery Processing
175
Chapter 3: Fundamentals