Br-lan not generate "Fragmentation needed" ICMP message

ABT · April 24, 2025, 12:08pm

I have two Openwrt devices, they are connected with wireguard, and inside them there is a gretap tunnel. The gretap interfaces are in the br-lan bridge of both routers. The goal is to be able to create an L2 network on the two routers that are in different places. Unfortunately, routed is not an option at the moment. The gretap interface has an MTU of 1280. In theory, if it receives a larger packet, it should send the system a "Fragmentation Needed" ICMP packet back. However, it does not do this. MSS Clamping does not work, because officially the packets do not pass through the firewall due to the bridges. If I reduce the MTU, that is not a solution either because then the client does not work, because it does not receive the ICMP FN packet back. The WRT discards the packets because they are too large. What did I not enable, or why does the system not fragment the packets automatically? I tried to solve some problems similar to mine that I found on the forum, but I couldn't solve it.

_bernd · April 24, 2025, 12:37pm

If you have to and want to go the stretched layer 2 way... Booth your LAN need to match the MTU of the gre tunnel without the extra outer frame.

MSS and PMTU do only work on layer 3.

brada4 · April 24, 2025, 4:58pm

You can patch up tcp init pñckets on the bridge.

you need pre and postrouting towards challenged port. It will not send frag-needed on udp, nor know automatic "rt mtu" ie iif gretap tcp flags syn tcp option maxseg size set 1280

One of the reasons no one runs udp s^slog over jumbo frame

_bernd · April 24, 2025, 6:02pm

Thanks. That's new to me. And I hope I will never have the need to use that knowledge

ABT · April 25, 2025, 8:28am

Thank you!

How should I fix this in the system, so that it is always executed when the firewall is restarted? The rules placed in nftables.d were not always included in the system when I tried something like this. Although I tried in traditional chains and tables. Unfortunately, the functionality of the luci firewall is not complete, and even the individual rules that were there in the past have been removed.

I still don't understand something. You wrote " It will not send frag-needed on udp" I wouldn't even distribute it on UDP at the moment. The one that requires L2 fits into the system without a problem. But there are a few devices on the other side of the pipe, especially switches, whose web interfaces are not accessible. These communicate on TCP, not UDP. Sorry, I must have misunderstood something.

brada4 · April 25, 2025, 8:36am

You need table-pre or table-post hook in fw4 and your table must create delete and create full table again.

github.com/openwrt/firewall4

fw4 doesn't reset tables beside fw4

opened 09:04PM - 13 Jan 24 UTC

closed 10:05PM - 13 Jan 24 UTC

moritori

I'm trying to add the following fragment ``` table bridge fw4 { cha…in mangle_prerouting { type filter hook prerouting priority -150; policy accept; iifname "phy0-ap0" meta mark set 0x00000001 } } ``` to some file in `/usr/share/nftables.d/ruleset-post/example.nft`. This include is then properly loaded, however fw4 doesn't seem to reset any other table besides fw4. This leads to the situation that the rule `iifname "phy0-ap0" meta mark set 0x00000001` is added again and again.