Hello, (i am sorry if this is the wrong place to ask)
despite the frequent discussions concerning this topic on usenet, i failed
to solve my problem:
- i have a debian potatoe box that acts as a masquerading server for a
heterogenous win2k/winnt/mac LAN. pppoe works fine, and so does
masquerading ... almost
- the kernel i installed is the latest 2.2 kernel (2.2.19)
the problem:
i can't access some sites from the masq clients, while i can access them
from the masq server. (like http://www.vitrine.be)
The problem seems to be widely known, and seems to be an MTU+no-fragment
packets issue. and indeed:
- the MTU on my LAN is 1500 bytes
- the MTU on my ppp connection is 1492 bytes.
on the archives, i found the following solutions:
- raising the ppp MTU to 1500 bytes. it won't work. even if i specify 1500,
the mtu is still 1492.
- lowering the mtu of the LAN to 1492 bytes. thats not an option according
to my boss.
- upgrade to something newer than 2.2.14. i run 2.2.19 and i still have the
problem.
So my questions are:
- are there other options ? i read some vague german things about msschamp
or something like that, but i don't know if they are even related.
- will an upgrade to linux 2.4 or the kernelspace pppoe driver fix my
problem ? (i would like to keep my current setup, i don't know how
difficult it is to upgrade a potatoe box to such a recent version ..)
Some other observations:
- win2k as masquerading server does not have the problem, but switching to
win2k is not really an option since win2k seems to have severe problems
with ftp connections.
- the problem also occurs for some mail servers.
Thanks in advance,
Frank Dekervel
--
Frank Dekervel
Mechelsestraat 88
3000 Leuven
[email protected].([nospam]).ac.be
In article <[email protected]> you wrote:
>
> Hello, (i am sorry if this is the wrong place to ask)
>
> despite the frequent discussions concerning this topic on usenet, i failed
> to solve my problem:
>
> - i have a debian potatoe box that acts as a masquerading server for a
> heterogenous win2k/winnt/mac LAN. pppoe works fine, and so does
> masquerading ... almost
>
> - the kernel i installed is the latest 2.2 kernel (2.2.19)
>
> the problem:
>
> i can't access some sites from the masq clients, while i can access them
> from the masq server. (like http://www.vitrine.be)
>
> The problem seems to be widely known, and seems to be an MTU+no-fragment
> packets issue. and indeed:
> - the MTU on my LAN is 1500 bytes
> - the MTU on my ppp connection is 1492 bytes.
>
> on the archives, i found the following solutions:
> - raising the ppp MTU to 1500 bytes. it won't work. even if i specify 1500,
> the mtu is still 1492.
> - lowering the mtu of the LAN to 1492 bytes. thats not an option according
> to my boss.
> - upgrade to something newer than 2.2.14. i run 2.2.19 and i still have the
> problem.
>
> So my questions are:
>
> - are there other options ? i read some vague german things about msschamp
> or something like that, but i don't know if they are even related.
>
> - will an upgrade to linux 2.4 or the kernelspace pppoe driver fix my
> problem ? (i would like to keep my current setup, i don't know how
> difficult it is to upgrade a potatoe box to such a recent version ..)
Well, upgrading to a recent 2.4 kernel gives you the possebility to use
the TCPMSS target in iptables which resolves your problems.
I'm also running a Linux masquerading box on a ADSL (T-DSL) line and I have
no problems at all (I can access the site you mentioned fine) with
the following line in iptables:
$IPTABLES -I FORWARD -j TCPMSS -o $FW_WORLD_DEV --clamp-mss-to-pmtu -p tcp --tcp-flags SYN,RST SYN
Cheers,
Juri
--
Juri Haberland <[email protected]>
Frank Dekervel <[email protected]>:
> Hello, (i am sorry if this is the wrong place to ask)
>
> despite the frequent discussions concerning this topic on usenet, i failed
> to solve my problem:
>
> - i have a debian potatoe box that acts as a masquerading server for a
> heterogenous win2k/winnt/mac LAN. pppoe works fine, and so does
> masquerading ... almost
>
> - the kernel i installed is the latest 2.2 kernel (2.2.19)
>
> the problem:
>
> i can't access some sites from the masq clients, while i can access them
> from the masq server. (like http://www.vitrine.be)
Actually it sounds like two problems:
1. the NAT server needs "always defragment packets". This way the entire
header is available for use.
2. Turn on forwarding.
BTW, you also have to hame the "ip_masq_ftp" module if you are going to
provide FTP to outside systems for your internal network. Just masquerading
support will do single TCP/IP and UDP connections. FTP uses a command
connection and a separate data connection. Since they are paired, the ftp
module supports the data channel.
I'm still useing the ipchains wrapper ipfwadm, which works with the following:
# flush every rule (this was recommended by the wrapper since the wrapper
# uses ipchains)
/sbin/ipchains -F
/sbin/ipchains -X
# (internal net) (destination)
/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -F -p deny
echo 1 > /proc/sys/net/ipv4/ip_forward
This still assumes that the default route/gateway is defined on the
NAT server.
In terms of ipchains the above ipfwadm wrapper generates:
ipchains -L IpFwAdM! -v
ipchains -R IpFwAdM! 2 -m 10004
ipchains -A fwd -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQ -m 0x2713
ipchains -P forward DENY
> The problem seems to be widely known, and seems to be an MTU+no-fragment
> packets issue. and indeed:
> - the MTU on my LAN is 1500 bytes
> - the MTU on my ppp connection is 1492 bytes.
>
> on the archives, i found the following solutions:
> - raising the ppp MTU to 1500 bytes. it won't work. even if i specify 1500,
> the mtu is still 1492.
> - lowering the mtu of the LAN to 1492 bytes. thats not an option according
> to my boss.
> - upgrade to something newer than 2.2.14. i run 2.2.19 and i still have the
> problem.
>
> So my questions are:
>
> - are there other options ? i read some vague german things about msschamp
> or something like that, but i don't know if they are even related.
>
> - will an upgrade to linux 2.4 or the kernelspace pppoe driver fix my
> problem ? (i would like to keep my current setup, i don't know how
> difficult it is to upgrade a potatoe box to such a recent version ..)
>
>
> Some other observations:
>
> - win2k as masquerading server does not have the problem, but switching to
> win2k is not really an option since win2k seems to have severe problems
> with ftp connections.
That's because it does not support ftp masquerading.
> - the problem also occurs for some mail servers.
Incoming or outgoing?
What I do is have the NAT server recieve the incoming mail, and immediately
relay that to the real mail server. It IS possible to do port forwarding
on the NAT server to provide a direct connection to the mail server:
/usr/sbin/ipmasqadm portfw -f # flush forward tables
# (NAT ip addr) (real mail server)
/usr/sbin/ipmasqadm portfw -a -P tcp -L ${IPADDR2} 25 -R 192.168.0.1 25
I use this technique for a web server.
Outgoing mail from the server was no problem since that uses a single
TCP connection.
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: [email protected]
Any opinions expressed are solely my own.