Routing using only one core on Download

Oh that is very interesting. It is supposed to do the opposite.

Please check your mtu on red. (This value is can set via DHCP by the ISP)

No MTU problem as far as I know, every interface has a MTU of 1500 and ping -D -s 1472 <IP on the Internet> works everywhere on my network both with and without the --clamp-mss-to-pmtu rule. The only difference being that with this rule I get 1/3 of the throughput when going through the NAT.

That is strange because the --clamp-mss-to-pmtu should only set the Maximum Segment Size for tcp connections to the “Path Maximum Transmission Units - 40 Bytes (Size of the TCP headers)” which should be the optimal value.

Can you run tcpdump and check how large the packets of a download are with and without the rule?

You are right, capturing packets revealed something:

  • With --clamp-mss-to-pmtu TCP MSS is 536 bytes
  • Without --clamp-mss-to-pmtu TCP MSS is 1460 bytes

Who set the PMTU to 576? If red and green has mtu/mru 1500 it should be 1500.

I don’t know where it comes from, not from me at least.

My larger point being that --clamp-mss-to-pmtu feels like a hack with hard to diagnose side effects and thus should probably be enabled only when behind an ISP messing with ICMP.

Thanks guys for looking into it.
I moved to OpenWrt and it works as expected, so I guess there must be some bug in IpFire