2.0.1 enable PMTUD upstream tunnel - yahoo sites not working

  • Hello, I'm running 2.0.1 on an Alix.  Recently the site that I'm having trouble with switched to a new connection.  The ISP is subcontracting the connection to a local cable company, and using a cisco router directly upstream of the firewall to tunnel the traffic back to the ISP's network.  So I'm running into MTU problems.

    The main symptom is that I'm unable to connect to any yahoo websites, www.yahoo.com, news.yahoo.com, flickr.com.  Packet captures show that the http connection is made, the browser requests the page and then the remote server never sends back data.  So the remote server isn't figuring out that they need to lower the MTU, so their packet never gets through.

    The ISP was able to fix the problem by setting the PMTU on their end, but says that they would rather I have our pfsense firewall setup to do PMTUD and then said I was blocking ICMP too aggressively.

    So I added a wan rule to allow ICMP type 3 packets, which I can see are being sent to the firewall.  But does the firewall actually do anything with those?  What do I need to do to enable PMTUD.  The set their PMTU back to auto and I tested and I see the ICMP's being sent saying need to fragment, but the sites still don't work.

    Also, since it is the yahoo server that is sending a packet that is too large, isn't the problem that they are not getting the icmp packet telling them to send a smaller packet?

    I also tried changing the WAN MTU and MSS to 1300, which didn't have any effect that I could see.  Is there some trick to getting that to work, or because the PMTUD isn't working, maybe the MTU change isn't getting discovered.

    The tunnel MTU seems to be 1460 from looking at packet captures when the ISP made their fix.

    I'm using pfsense in Nat mode.