Problem: Certain web sites are not viewable. The Fortigate is configured to use PPPoE to connect to the ISP.
Solution: Use the "tcp-mss" interface option.
Topology:
HTTP Client----(internal)FGT(pppoe)----dsl----ISP----Internet----Web Server
----Ethernet MTU 1500----PPPoE MTU 1492………..Ethernet MTU 1500
The reason for this is that a PPPoE frame takes an extra 8 bytes off the standard Ethernet MTU of 1500. When the server sends the large packet with DF bit set to 1, the ADSL provider's router either does not send an 'ICMP fragmentation needed' packet or the packet gets dropped along the path to the web server. In either case, the web server never knows a fragmentation is required to reach the client.
After you configure 'set tcp-mss' on the FortiGate unit's internal interface, this command will change the incoming packets and send the packets with a new TCP MSS value out the downstream interface. By default the MSS is MTU minus 40 byes (TCP and IP headers). When the HTTP client initiates a TCP connection, the following example changes the MSS value from 1460 to 1452 when leaving the PPPoE interface and eventually reaches the web server. The web server will also choose the smaller MSS and therefore no fragmentation is needed. The client can now view web pageproperly.
config system interface
edit "internal"
set ip 192.168.1.99 255.255.255.0
set tcp-mss 1492
next
扫一扫
9800
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
