NAT PPPOE & MTU problems

NAT PPPOE & MTU problems

[s]

[-- Attachment #1: Type: text/plain, Size: 787 bytes --]

I've got a problem with NAT connections on PPPOE.
My box is connected to internet via DSL, and I have some computers behind NAT. 
I changed MTU on internal interfaces to 1492 and configured iptables with:

iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

also I have squid cache installed for local workstations.
When I surfing net without squid everything works fine, no timeouts or something. Is good.
But when I use squid as a cache sometimes when squid uses POST method with huge amount of parameters, connection hangs. On tcpdump I see that one packet is repeated few times (5) and I got timeout message.
What's wrong ? Repeated packet has 1492 bytes lenght. But there's no answer from www server.

Pozdraviam
Przemyslaw Borkowski

[-- Attachment #2: Type: text/html, Size: 1689 bytes --]

Re: NAT PPPOE & MTU problems

[Greg Stark]

"s" <xperience@interia.pl> writes:

> I've got a problem with NAT connections on PPPOE.
> My box is connected to internet via DSL, and I have some computers behind NAT. 
> I changed MTU on internal interfaces to 1492 and configured iptables with:
> 
> iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> 
> also I have squid cache installed for local workstations. When I surfing net
> without squid everything works fine, no timeouts or something. Is good. But
> when I use squid as a cache sometimes when squid uses POST method with huge
> amount of parameters, connection hangs. On tcpdump I see that one packet is
> repeated few times (5) and I got timeout message. What's wrong ? Repeated
> packet has 1492 bytes lenght. But there's no answer from www server.

You might try smaller MTUs. 1492 should work with PPPOE in theory, but some
PPPOE based DSL providers seem to have internal networks that impose
additional constraints. I find my own packets don't seem to get out if they're
over 1480 or so (it seems to vary).

Also, does your provider have a transparent proxy? One transparent proxy I've
seen misbehaved in precisely the manner you're describing. There was no way
around the bug, and people complained incessantly on the support newsgroups.
I eventually just switched providers.

-- 
greg

Re: NAT PPPOE & MTU problems

[Sven Schuster]

s wrote:

> I've got a problem with NAT connections on PPPOE.
> My box is connected to internet via DSL, and I have some computers 
> behind NAT.
> I changed MTU on internal interfaces to 1492 and configured iptables with:
>  
> iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS 
> --clamp-mss-to-pmtu
> also I have squid cache installed for local workstations.
> When I surfing net without squid everything works fine, no timeouts or 
> something. Is good.
> But when I use squid as a cache sometimes when squid uses POST method 
> with huge amount of parameters, connection hangs. On tcpdump I see 
> that one packet is repeated few times (5) and I got timeout message.
> What's wrong ? Repeated packet has 1492 bytes lenght. But there's no 
> answer from www server.
>  
> Pozdraviam
> Przemyslaw Borkowski

I think the problem here is that squid will establish a connection
locally from your box. So when your computers on the internal
net surf directly, the MSS will be clamped to PMTU via your
FORWARD rule. When your clients surf via your squid proxy,
the SYN pakets MSS aren't clamped to PMTU.

So, you'll need the same rule to clamp the MSS for your OUTPUT
rule.

Hope this helps

Sven