I was posting from my mobile earlier, so writing a lot was difficult.
OK.. MTU is effectively the maximum packet size that can pass down a link. If you need to send a larger packet, it needs to be split up ("Fragmented"). If a packet cannot be forwarded onwards as the link that way is too narrow (MTU-wise), the router receiving the packet will attempt to fragment it and send it on in smaller fragments. However this needs both ends of that onward link to know what the MTU of the link actually is (or else one end might be sending too large packets for the link). For best optimisation both ends of the link should be set to the actual maximum packet size for the media that joins them.
The problem comes when one end of the link is a firewall. The firewall will want to remain stealthy and immune from manipulation from outside, particuarly from DDoS attacks. As such if it is set to too large an MTU, it may ignore clues and control messages that warn it of the problem (as they may be fake). There are attacks for instance that send control messages that try to make a firewall reduce its MTU in order to cripple it.
So the trick is to accurately tune links, particularly those immediately outside a firewall. Both ends must be the same MTU, and it's best if that matches the intermediate media's MTU.
So.... How do we do this?......
Well if we KNOW the MTU of the link and that the far end router is set to that, we can just set that on the WAN interface.... Job done.
If we don't (have accurate knowledge), we can test for it...
If possible, connect a PC to the wireless link (instead of the firewall, using the IP address/gateway that would normally be on the WAN interface of the router). Otherwise use the router with a WAN side MTU of 1500.
Perform various pings with the -f and -l (that s lower case "L" flags as follows
Code:
ping -f -l 1464 8.8.8.8
The -f is an option that disallows fragmentation.
The 1464 is a data size within the packet we are sending add 28 to get the full packet size, so we are testing a 1492 byte packet.
If its passes, increase the data size. If it fails reduce it. You can do a 'cooks tour' to home in on the best data size (Big change, then repeatedly halve the difference to home in on the best value - the largest that succeeds). Add 28 to the data size you homed in on and set that sum as the WAN MTU... Job done.
For avoidance of doubt - we are only adjusting the WAN side MTU. Leave the MTUs on internal devices as 1500, and you can probably assume that the WAN MTU will not be greater than 1500.
Technically we are testing the smallest MTU all of the way out to google DNS, but in practice, only the link or couple of links closest to you will be constricted.
