ICMP support is required for networking in some cases

To head off claims I didn’t check first, I’m just not sure what the rules for necroing are on this forum. There is a thread titled “Have firewall accept ICMP Fragmentation Needed” about this.

I recently had to deal with the infamous “Tor stuck at 45% forever and not connecting” problem. This turned out to be because of misconfigured hardware ISP-side advertising an MTU lower than Whonix assumes (1500).

If Whonix bothered to actually accept “Destination Unreachable” ICMP messages, it would have quickly noticed the need to fragment the packets so that Tor could even get started working. In fact, specifically adding a rule to accept those “miraculously” fixed the issue, as one would expect. It later turned out that my connection does support higher MTUs despite the ISP’s DHCP options, but that’s just luck.

This also means that Whonix is fundamentally unusable by users stuck on subpar networking links such as dialup when using its default settings (unless they know to manually adjust the MTU of interfaces in the Whonix VM), which is still in use in my country, especially in rural areas.

I think this qualifies as a crippling effect on usability.

A post was merged into an existing topic: Have firewall accept ICMP Fragmentation Needed