1 | initial version |
The packets are greater than the MTU because you captured them on the server sending them, as you already suspected (the Large Segment Offloading happens after Wireshark picked them up already). I don't see a problem with the DF flag - it will be set for the last packet of the chain of packets when they're being created from the large segment you see.
I would recommend enabling ICMP, of course - there's no real security issue these days as ICMP redirects are ignored by modern TCP stacks (preventing a MiTM situation). You could still block it but enable all the "Destination Unreachable" messages to be able to receive error messages like "Fragmentation Needed".