|
Certain websites are not viewable. The FortiGate is configured to use PPPoE to connect to the ISP.
Topology:
HTTP Client----(internal)FGT(pppoe)----dsl----ISP----Internet----Web Server
----Ethernet MTU 1500----PPPoE MTU 1492………..Ethernet MTU 1500
The reason for this is that a PPPoE frame takes an extra eight bytes off the standard Ethernet MTU of 1500. When the server sends the large packet with a DF bit set to 1, the ADSL provider's router either does not send an 'ICMP fragmentation needed' packet or the packet gets dropped along the path to the web server. In either case, the web server never knows a fragmentation is required to reach the client.
After configuring 'set tcp-mss-sender' on the firewall policy setting, this command changes the incoming packets and sends the packets with a new TCP MSS (maximum sending size) value out the downstream (external) interface. By default, the MSS is MTU minus 40 byes (TCP and IP headers). When the HTTP client initiates a TCP connection, the following example changes the MSS value from 1460 to 1452 when leaving the PPPoE interface and eventually reaches the web server. The web server will also choose the smaller MSS, and therefore no fragmentation is needed. The user can now view web pages properly.
config firewall policy
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "all"
set dstaddr "www.canada.com"
set action accept
set schedule "always"
set service "ANY"
set tcp-mss-sender 1452
set nat enable
next
end
Alternatively, this configuration can also be made on the internal interface(s) of the FortiGate unit rather than individual firewall policies.
For example:
config system interface
edit <port_name>
set tcp-mss 1452
end
The <port_name> can be replaced by any internal-facing port.
|
