iPhone Personal Hotspot seems to block ICMP Fragmentation Required

For both AT&T and Verizon carriers, it appears that when you use an iPhone as a Personal Hotspot on a Mac (with firewall off), no ICMP Fragmentation Required packets get through to the Mac. These packets are required for the Mac correctly discovering the Path MTU (PMTU) to a destination. (RFC1191)

Scenario: Using a regular network connection, ping a host where the PMTU < 1500 via ping -c 2 -v -D -s 1472 <ipv4>

You will see a response that shows that your host received an ICMP packet telling it that fragmentation is needed to get to that host. (Note that the source of that ICMP is not the intended host, but some router in between.) NOTE: This has next to nothing to do with ICMP Echo (ping) or Echo Reply packets; ping is simply used to demonstrate the problem.

Then connect to your iPhone as a hot spot and try that again. You will get no response because the packet can't get to the destination because of the Don't Fragment flag, and something is blocking the ICMP Fragmentation Required packet.

This impacted us in two similar scenarios:

1. Using an iPhone as a hotspot for a Linux computer that established a VPN
2. Using an iPhone as a hotspot for a Mac that had a Linux VM running on it that established a VPN.

In both cases, attempts (via ssh) to send a packet bigger than the PMTU failed.

I'm sure there are other scenarios where this blocking causes problems.

The workaround was to determine the PMTU to the VPN server manually and to specify that MTU to the VPN software.

Since this happens on both AT&T and Verizon, I suspect some firewall on the iPhone is blocking this. It is possible that the Mac blocks it only when the hotspot is being used. I haven't found an iPhone app that can document these packets (not) getting to the iPhone.

It would be good for Apple to fix this.