Heyla, folks. I've got an interesting little report for y'all,
was hoping to get a bit more insight, 'cause I'm rather stumped on it,
and can't really make heads or tails of it. I've got a DSL with PPPoE
set up on the router (running 2.4.17, with NAT) and seem to be having
problems getting to web sites from client machines behind the firewall.
What makes it so curious is that this happens with only a
selection of web servers out there, though the number for me seems to be
growing, unfortunately.
When I use Lynx from the router, I can get to any site out
there on the Internet that I choose. My fire walling rules are simple:
Accepts everything incoming, and outgoing, and masquerades anything
going out from the LAN to the world beyond through the interfaces of
ppp0 and ppp1 (ppp0 being the PPPoE interface through eth1, ppp1 being
the 'backup' dial-up service.)
The other curious thing is when I route traffic to a troubled
site through the modem interface (ppp1), I can access things just fine.
After wading through some packet captures targeting this
problem, I've noticed that when sending a request from one of the
machines behind the NAT box, the standard handshake is processed, then
the HTTP get is sent, and the connection is dropped immediately, but
from the NAT box itself, there's an ACK sent, then the Web server sends
the information with a HTTP/200 response.
I've been trying to puzzle this out for weeks, and due to all
the mitigating factors, the only theory that I can come up with is a
possible bug in the interaction between MASQ and PPPoE, as switching to
the straight PPP account works just fine.
--
Malcolm D. Mallardi - Dark Freak At Large
"Captain, we are receiving two-hundred eighty-five THOUSAND hails."
AOL: Nuark UIN: 11084092 Y!: Magamo Jabber: [email protected]
http://ranka.2y.net:3000/~magamo/index.htm
Is it your MTU on your local network causing fragmentation? Read the PPPoE Howto. It explains about these problems that are common with some providers DSL networks.
Kind Regards
Crispin
On Wed, Jan 30, 2002 at 01:50:40AM -0500, Malcolm Mallardi wrote:
> Heyla, folks. I've got an interesting little report for y'all,
> was hoping to get a bit more insight, 'cause I'm rather stumped on it,
> and can't really make heads or tails of it. I've got a DSL with PPPoE
> set up on the router (running 2.4.17, with NAT) and seem to be having
> problems getting to web sites from client machines behind the firewall.
>
> What makes it so curious is that this happens with only a
> selection of web servers out there, though the number for me seems to be
> growing, unfortunately.
> When I use Lynx from the router, I can get to any site out
> there on the Internet that I choose. My fire walling rules are simple:
> Accepts everything incoming, and outgoing, and masquerades anything
> going out from the LAN to the world beyond through the interfaces of
> ppp0 and ppp1 (ppp0 being the PPPoE interface through eth1, ppp1 being
> the 'backup' dial-up service.)
> The other curious thing is when I route traffic to a troubled
> site through the modem interface (ppp1), I can access things just fine.
>
> After wading through some packet captures targeting this
> problem, I've noticed that when sending a request from one of the
> machines behind the NAT box, the standard handshake is processed, then
> the HTTP get is sent, and the connection is dropped immediately, but
> from the NAT box itself, there's an ACK sent, then the Web server sends
> the information with a HTTP/200 response.
>
> I've been trying to puzzle this out for weeks, and due to all
> the mitigating factors, the only theory that I can come up with is a
> possible bug in the interaction between MASQ and PPPoE, as switching to
> the straight PPP account works just fine.
>
> --
> Malcolm D. Mallardi - Dark Freak At Large
> "Captain, we are receiving two-hundred eighty-five THOUSAND hails."
> AOL: Nuark UIN: 11084092 Y!: Magamo Jabber: [email protected]
> http://ranka.2y.net:3000/~magamo/index.htm
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
On Wed, Jan 30, 2002 at 01:50:40AM -0500, Malcolm Mallardi wrote:
> Heyla, folks. I've got an interesting little report for y'all,
> was hoping to get a bit more insight, 'cause I'm rather stumped on it,
> and can't really make heads or tails of it. I've got a DSL with PPPoE
> set up on the router (running 2.4.17, with NAT) and seem to be having
> problems getting to web sites from client machines behind the firewall.
Have you tried the TCPMSS target in the mangle chain in order to clamp
the TCP MSS to the mtu?
This seems to be the problem you are encountering.
For further questions please follow up to the netfilter users mailing list
at [email protected].
> Malcolm D. Mallardi - Dark Freak At Large
--
Live long and prosper
- Harald Welte / [email protected] http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
Hello Malcolm,
try to change the MTU on your clientmashines:
ifconfig eth0 mtu 1400
then connect again ...
this Problem comes with many Webservers use Loadbalancing and BigIP
because they answer with an different Packetsice and Providers like
T-Online
block this ...
bye
Malcolm Mallardi wrote:
> Heyla, folks. I've got an interesting little report for y'all,
>was hoping to get a bit more insight, 'cause I'm rather stumped on it,
>and can't really make heads or tails of it. I've got a DSL with PPPoE
>set up on the router (running 2.4.17, with NAT) and seem to be having
>problems getting to web sites from client machines behind the firewall.
>
> What makes it so curious is that this happens with only a
>selection of web servers out there, though the number for me seems to be
>growing, unfortunately.
> When I use Lynx from the router, I can get to any site out
>there on the Internet that I choose. My fire walling rules are simple:
>Accepts everything incoming, and outgoing, and masquerades anything
>going out from the LAN to the world beyond through the interfaces of
>ppp0 and ppp1 (ppp0 being the PPPoE interface through eth1, ppp1 being
>the 'backup' dial-up service.)
> The other curious thing is when I route traffic to a troubled
>site through the modem interface (ppp1), I can access things just fine.
>
> After wading through some packet captures targeting this
>problem, I've noticed that when sending a request from one of the
>machines behind the NAT box, the standard handshake is processed, then
>the HTTP get is sent, and the connection is dropped immediately, but
>from the NAT box itself, there's an ACK sent, then the Web server sends
>the information with a HTTP/200 response.
>
> I've been trying to puzzle this out for weeks, and due to all
>the mitigating factors, the only theory that I can come up with is a
>possible bug in the interaction between MASQ and PPPoE, as switching to
>the straight PPP account works just fine.
>
>--
>Malcolm D. Mallardi - Dark Freak At Large
>"Captain, we are receiving two-hundred eighty-five THOUSAND hails."
>AOL: Nuark UIN: 11084092 Y!: Magamo Jabber: [email protected]
>http://ranka.2y.net:3000/~magamo/index.htm
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to [email protected]
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
>
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
On Wed, 30 Jan 2002, Malcolm Mallardi wrote:
> Heyla, folks. I've got an interesting little report for y'all,
> was hoping to get a bit more insight, 'cause I'm rather stumped on it,
> and can't really make heads or tails of it. I've got a DSL with PPPoE
> set up on the router (running 2.4.17, with NAT) and seem to be having
> problems getting to web sites from client machines behind the firewall.
>
> What makes it so curious is that this happens with only a
> selection of web servers out there, though the number for me seems to be
> growing, unfortunately.
> When I use Lynx from the router, I can get to any site out
> there on the Internet that I choose. My fire walling rules are simple:
> Accepts everything incoming, and outgoing, and masquerades anything
> going out from the LAN to the world beyond through the interfaces of
> ppp0 and ppp1 (ppp0 being the PPPoE interface through eth1, ppp1 being
> the 'backup' dial-up service.)
> The other curious thing is when I route traffic to a troubled
> site through the modem interface (ppp1), I can access things just fine.
>
> After wading through some packet captures targeting this
> problem, I've noticed that when sending a request from one of the
> machines behind the NAT box, the standard handshake is processed, then
> the HTTP get is sent, and the connection is dropped immediately, but
> from the NAT box itself, there's an ACK sent, then the Web server sends
> the information with a HTTP/200 response.
>
> I've been trying to puzzle this out for weeks, and due to all
> the mitigating factors, the only theory that I can come up with is a
> possible bug in the interaction between MASQ and PPPoE, as switching to
> the straight PPP account works just fine.
>
> --
> Malcolm D. Mallardi - Dark Freak At Large
> "Captain, we are receiving two-hundred eighty-five THOUSAND hails."
> AOL: Nuark UIN: 11084092 Y!: Magamo Jabber: [email protected]
> http://ranka.2y.net:3000/~magamo/index.htm
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>