I am using my phone's wireless hotspot to provide temporary/backup internet access through my router. The router is connecting to the phone as a Wi-Fi client and using that Wi-Fi connection as an upstream internet connection when the main wired one fails. This is probably at least a triple NAT.
The routing and firewalling is set up so that IPv4 connectivity works fine for all clients connected to the router, but I have discovered that pinging internet hosts works on Linux clients but does not work from Windows clients. The Windows ICMP echo requests go out over the router's Wi-Fi interface, but no reply ever comes back.
The firewall is set to allow all ICMP in both directions, using the same settings as my main wired internet connection, which has no trouble with ICMP (although it has only one layer of NAT.)
I have discovered by comparing working and non-working pings via tcpdump on the router that Linux is setting the Don't Fragment bit by default and Windows is not. If I give Windows ping the -f option, the Don't Fragment bit gets set and I get ICMP echo replies on Windows.
According to tcpdump, the size of the echo request from Windows ping is 40 bytes, from Linux it is 64 bytes. I've researched this a bit but most everything I could find was regarding discovering MTU size by sending large ping packets, and these are small.
Why does turning on the Don't Fragment bit make ping work in this setup?
