2001-10-03 13:00:17

by Frank Dekervel

[permalink] [raw]
Subject: mtu problem with masquerading+pppoe(adsl) setup


Hello, (i am sorry if this is the wrong place to ask)

despite the frequent discussions concerning this topic on usenet, i failed
to solve my problem:

- i have a debian potatoe box that acts as a masquerading server for a
heterogenous win2k/winnt/mac LAN. pppoe works fine, and so does
masquerading ... almost

- the kernel i installed is the latest 2.2 kernel (2.2.19)

the problem:

i can't access some sites from the masq clients, while i can access them
from the masq server. (like http://www.vitrine.be)

The problem seems to be widely known, and seems to be an MTU+no-fragment
packets issue. and indeed:
- the MTU on my LAN is 1500 bytes
- the MTU on my ppp connection is 1492 bytes.

on the archives, i found the following solutions:
- raising the ppp MTU to 1500 bytes. it won't work. even if i specify 1500,
the mtu is still 1492.
- lowering the mtu of the LAN to 1492 bytes. thats not an option according
to my boss.
- upgrade to something newer than 2.2.14. i run 2.2.19 and i still have the
problem.

So my questions are:

- are there other options ? i read some vague german things about msschamp
or something like that, but i don't know if they are even related.

- will an upgrade to linux 2.4 or the kernelspace pppoe driver fix my
problem ? (i would like to keep my current setup, i don't know how
difficult it is to upgrade a potatoe box to such a recent version ..)


Some other observations:

- win2k as masquerading server does not have the problem, but switching to
win2k is not really an option since win2k seems to have severe problems
with ftp connections.

- the problem also occurs for some mail servers.


Thanks in advance,

Frank Dekervel



--
Frank Dekervel
Mechelsestraat 88
3000 Leuven
[email protected].([nospam]).ac.be


2001-10-03 13:37:18

by Juri Haberland

[permalink] [raw]
Subject: Re: mtu problem with masquerading+pppoe(adsl) setup

In article <[email protected]> you wrote:
>
> Hello, (i am sorry if this is the wrong place to ask)
>
> despite the frequent discussions concerning this topic on usenet, i failed
> to solve my problem:
>
> - i have a debian potatoe box that acts as a masquerading server for a
> heterogenous win2k/winnt/mac LAN. pppoe works fine, and so does
> masquerading ... almost
>
> - the kernel i installed is the latest 2.2 kernel (2.2.19)
>
> the problem:
>
> i can't access some sites from the masq clients, while i can access them
> from the masq server. (like http://www.vitrine.be)
>
> The problem seems to be widely known, and seems to be an MTU+no-fragment
> packets issue. and indeed:
> - the MTU on my LAN is 1500 bytes
> - the MTU on my ppp connection is 1492 bytes.
>
> on the archives, i found the following solutions:
> - raising the ppp MTU to 1500 bytes. it won't work. even if i specify 1500,
> the mtu is still 1492.
> - lowering the mtu of the LAN to 1492 bytes. thats not an option according
> to my boss.
> - upgrade to something newer than 2.2.14. i run 2.2.19 and i still have the
> problem.
>
> So my questions are:
>
> - are there other options ? i read some vague german things about msschamp
> or something like that, but i don't know if they are even related.
>
> - will an upgrade to linux 2.4 or the kernelspace pppoe driver fix my
> problem ? (i would like to keep my current setup, i don't know how
> difficult it is to upgrade a potatoe box to such a recent version ..)

Well, upgrading to a recent 2.4 kernel gives you the possebility to use
the TCPMSS target in iptables which resolves your problems.

I'm also running a Linux masquerading box on a ADSL (T-DSL) line and I have
no problems at all (I can access the site you mentioned fine) with
the following line in iptables:

$IPTABLES -I FORWARD -j TCPMSS -o $FW_WORLD_DEV --clamp-mss-to-pmtu -p tcp --tcp-flags SYN,RST SYN

Cheers,
Juri

--
Juri Haberland <[email protected]>

2001-10-03 14:35:59

by Jesse Pollard

[permalink] [raw]
Subject: Re: mtu problem with masquerading+pppoe(adsl) setup

Frank Dekervel <[email protected]>:
> Hello, (i am sorry if this is the wrong place to ask)
>
> despite the frequent discussions concerning this topic on usenet, i failed
> to solve my problem:
>
> - i have a debian potatoe box that acts as a masquerading server for a
> heterogenous win2k/winnt/mac LAN. pppoe works fine, and so does
> masquerading ... almost
>
> - the kernel i installed is the latest 2.2 kernel (2.2.19)
>
> the problem:
>
> i can't access some sites from the masq clients, while i can access them
> from the masq server. (like http://www.vitrine.be)

Actually it sounds like two problems:
1. the NAT server needs "always defragment packets". This way the entire
header is available for use.
2. Turn on forwarding.

BTW, you also have to hame the "ip_masq_ftp" module if you are going to
provide FTP to outside systems for your internal network. Just masquerading
support will do single TCP/IP and UDP connections. FTP uses a command
connection and a separate data connection. Since they are paired, the ftp
module supports the data channel.

I'm still useing the ipchains wrapper ipfwadm, which works with the following:

# flush every rule (this was recommended by the wrapper since the wrapper
# uses ipchains)

/sbin/ipchains -F
/sbin/ipchains -X

# (internal net) (destination)
/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -F -p deny
echo 1 > /proc/sys/net/ipv4/ip_forward

This still assumes that the default route/gateway is defined on the
NAT server.

In terms of ipchains the above ipfwadm wrapper generates:

ipchains -L IpFwAdM! -v
ipchains -R IpFwAdM! 2 -m 10004
ipchains -A fwd -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQ -m 0x2713

ipchains -P forward DENY


> The problem seems to be widely known, and seems to be an MTU+no-fragment
> packets issue. and indeed:
> - the MTU on my LAN is 1500 bytes
> - the MTU on my ppp connection is 1492 bytes.
>
> on the archives, i found the following solutions:
> - raising the ppp MTU to 1500 bytes. it won't work. even if i specify 1500,
> the mtu is still 1492.
> - lowering the mtu of the LAN to 1492 bytes. thats not an option according
> to my boss.
> - upgrade to something newer than 2.2.14. i run 2.2.19 and i still have the
> problem.
>
> So my questions are:
>
> - are there other options ? i read some vague german things about msschamp
> or something like that, but i don't know if they are even related.
>
> - will an upgrade to linux 2.4 or the kernelspace pppoe driver fix my
> problem ? (i would like to keep my current setup, i don't know how
> difficult it is to upgrade a potatoe box to such a recent version ..)

>
>
> Some other observations:
>
> - win2k as masquerading server does not have the problem, but switching to
> win2k is not really an option since win2k seems to have severe problems
> with ftp connections.

That's because it does not support ftp masquerading.

> - the problem also occurs for some mail servers.

Incoming or outgoing?

What I do is have the NAT server recieve the incoming mail, and immediately
relay that to the real mail server. It IS possible to do port forwarding
on the NAT server to provide a direct connection to the mail server:

/usr/sbin/ipmasqadm portfw -f # flush forward tables
# (NAT ip addr) (real mail server)
/usr/sbin/ipmasqadm portfw -a -P tcp -L ${IPADDR2} 25 -R 192.168.0.1 25

I use this technique for a web server.

Outgoing mail from the server was no problem since that uses a single
TCP connection.

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: [email protected]

Any opinions expressed are solely my own.