# FreeBSD 11.1 - Only 1 ICMP redirect (frag needed) packet returned



## Dave12 (Dec 10, 2018)

So we've got an issue that's been perplexing us. 

We're using a FreeBSD box as a router, with 1 NIC set to a low MTU (VPN reasons) and another NIC set to a normal MTU. 

NIC 1 is the route out to to the internet + IPSec interface - MTU = 1350 

NIC 2 is the route into our network - MTU = 1500

If you send a ping with an overall MTU size greater than 1350 (do-not-frag enabled) to a host on the otherside of the VPN, FreeBSD returns a single ICMP Redirect with the correct MTU. This is expected.

However, if you were to then send a ping to any other host on the internet with an MTU greater than 1350 and DNF enabled, FreeBSD doesn't return any ICMP redirects. Meaning Windows can't use PMTU. 

Would appreciate any pointers.


----------



## SirDice (Dec 10, 2018)

FreeBSD 11.1 is now end-of-life and not supported any more. Please update to 11.2.

Topics about unsupported FreeBSD versions
https://www.freebsd.org/security/unsupported.html


----------



## Dave12 (Dec 10, 2018)

Just going to try it on 11.2 now


----------



## SirDice (Dec 10, 2018)

You may want to test 12.0 too. If I recall correctly there have been many IPSec improvements in 12.0.


----------



## VladiBG (Dec 10, 2018)

When the DF bit is set any device along the route which has lower MTU size should return ICMP _Fragmentation Needed_ (Type 3, Code 4) and the MTU of the next hop.


----------

