All of lore.kernel.org
 help / color / mirror / Atom feed
* [Bridge] Some clients are unable to connect fully to the other side.
@ 2005-04-04 18:26 Beppe
  2005-04-04 18:58 ` [Bridge] Some clients are unable to connect fully to the other side.[SOLVED] Beppe
  0 siblings, 1 reply; 2+ messages in thread
From: Beppe @ 2005-04-04 18:26 UTC (permalink / raw)
  To: bridge

Hi list,

I have setup our router/firewall with bridging.
The bridge is there because we have an other router with a ipsec tunnel.
The traffic from that i don't trust, i have seen a lot of noise that 
needs to be dropped(ports like 135,137,138,445 etc)

It all works just fine except for some clients.

 From my client(winxpp sp1) i can browse web servers, receive and send 
mail on networks behind the bridge and ipsec tunnel.
So the bridge works (for me at least)
The problem on some clients is that for an example.
If i telnet to the mail server pop3, i'm able to log in
and list the inbox, but when i do "RETR 1" nothing more happens.

it feels like there is some issue with larger package from the other side.

tcpdump from a bad client unable to get mail shows:

19:47:50.946266 IP (tos 0x0, ttl 127, id 19315, offset 0, flags [DF], 
length: 48) client.1815 > server.110: S [tcp sum ok] 
3838110372:3838110372(0) win 65535 <mss 1460,nop,nop,sackOK>

19:47:50.989986 IP (tos 0x0, ttl 127, id 24652, offset 0, flags [DF], 
length: 48) server.110 > client.1815: S [tcp sum ok] 
376748423:376748423(0) ack 3838110373 win 65535 <mss 1400,nop,nop,sackOK>

19:47:50.990126 IP (tos 0x0, ttl 127, id 19316, offset 0, flags [DF], 
length: 40) client.1815 > server.110: . [tcp sum ok] 1:1(0) ack 1 win 65535

19:47:51.034310 IP (tos 0x0, ttl 127, id 24656, offset 0, flags [DF], 
length: 140) server.110 > client.1815: P 1:101(100) ack 1 win 65535

19:47:51.034561 IP (tos 0x0, ttl 127, id 19317, offset 0, flags [DF], 
length: 74) client.1815 > server.110: P 1:35(34) ack 101 win 65435

19:47:51.078620 IP (tos 0x0, ttl 127, id 24657, offset 0, flags [DF], 
length: 45) server.110 > client.1815: P [tcp sum ok] 101:106(5) ack 35 
win 65501

19:47:51.078840 IP (tos 0x0, ttl 127, id 19318, offset 0, flags [DF], 
length: 55) client.1815 > server.110: P 35:50(15) ack 106 win 65430

19:47:51.130881 IP (tos 0x0, ttl 127, id 24666, offset 0, flags [DF], 
length: 74) server.110 > client.1815: P 106:140(34) ack 50 win 65486

19:47:51.131129 IP (tos 0x0, ttl 127, id 19319, offset 0, flags [DF], 
length: 46) client.1815 > server.110: P [tcp sum ok] 50:56(6) ack 140 
win 65396

19:47:51.181633 IP (tos 0x0, ttl 127, id 24668, offset 0, flags [DF], 
length: 54) server.110 > client.1815: P [tcp sum ok] 140:154(14) ack 56 
win 65480

19:47:51.182402 IP (tos 0x0, ttl 127, id 19320, offset 0, flags [DF], 
length: 48) client.1815 > server.110: P [tcp sum ok] 56:64(8) ack 154 
win 65382

19:47:52.613277 IP (tos 0x0, ttl 127, id 19337, offset 0, flags [DF], 
length: 48) client.1815 > server.110: P [tcp sum ok] 56:64(8) ack 154 
win 65382

19:47:52.662321 IP (tos 0x0, ttl 127, id 24718, offset 0, flags [DF], 
length: 40) server.110 > client.1815: . [tcp sum ok] 1554:1554(0) ack 64 
win 65472

the two last package with hex dump

19:45:33.909104 IP (tos 0x0, ttl 127, id 18214, offset 0, flags [DF], 
length: 48) client.1808 > server.110: P [tcp sum ok] 56:64(8) ack 154 
win 65382
0x0000: 4500 0030 4726 4000 7f06 0fc4 0a10 888c  E..0G&@.........
0x0010: 0a10 0832 0710 006e e2af ddd2 1456 405f  ...2...n.....V@_
0x0020: 5018 ff66 1af7 0000 5245 5452 2031 0d0a  P..f....RETR.1..

19:45:33.968763 IP (tos 0x0, ttl 127, id 20411, offset 0, flags [DF], 
length: 40) server.110 > client.1808: . [tcp sum ok] 1554:1554(0) ack 64 
win 65472
0x0000: 4500 0028 4fbb 4000 7f06 0737 0a10 0832  E..(O.@....7...2
0x0010: 0a10 888c 006e 0710 1456 45d7 e2af ddda  .....n...VE.....
0x0020: 5010 ffc0 e8ff 0000 0000 0000 0000       P.............


The ghost in me says that it can be some thing with MTU, can it be that?
I'm not an IP TCP expert, but a brief analyze of good and bad client , 
the first SYN on good client has "mss 1260" while bad client has "mss 1460".
Generally the bad client is Win98se and win2k,
but there is some winxpp with the same issue.


setup:
Linux dist Gentoo 2004.3
Kernel 2.6.11-gentoo-r4
kernel patched with
	linux-2.6.11-mppe-mppc-1.3
	patch-o-matic-ng-20050322 CLASSIFY
	patch-o-matic-ng-20050322 ownercmd
	patch-o-matic-ng-20050322 psd
	patch-o-matic-ng-20050322 time
	patch-o-matic-ng-20050322 IPMARK
	patch-o-matic-ng-20050322 TARPIT
	patch-o-matic-ng-20050322 XOR
	patch-o-matic-ng-20050322 ipp2p
iptables-1.3.1
bridge-utils-0.9.6-r1


Iterface desc:
eth0:  External network (internet)
eth1:  Local network (office)
eth2:  DMZ
eth3:  Local network (ipsec)
ppp+:  Dial-in VPN
tun01: gre tunnel
br0:   Bridge network eth1 and eth3


Directions how to counter this problem is warmly welcome,

take care,
::Beppe

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [Bridge] Some clients are unable to connect fully to the other side.[SOLVED]
  2005-04-04 18:26 [Bridge] Some clients are unable to connect fully to the other side Beppe
@ 2005-04-04 18:58 ` Beppe
  0 siblings, 0 replies; 2+ messages in thread
From: Beppe @ 2005-04-04 18:58 UTC (permalink / raw)
  To: bridge

hehe, i feel good.

/usr/local/sbin/iptables -A PREROUTING -t mangle -i br0 -p tcp --syn -j 
TCPMSS --set-mss 1260

did it.

take care,
::Beppe

Beppe wrote:
> Hi list,
> 
> I have setup our router/firewall with bridging.
> The bridge is there because we have an other router with a ipsec tunnel.
> The traffic from that i don't trust, i have seen a lot of noise that 
> needs to be dropped(ports like 135,137,138,445 etc)
> 
> It all works just fine except for some clients.
> 
>  From my client(winxpp sp1) i can browse web servers, receive and send 
> mail on networks behind the bridge and ipsec tunnel.
> So the bridge works (for me at least)
> The problem on some clients is that for an example.
> If i telnet to the mail server pop3, i'm able to log in
> and list the inbox, but when i do "RETR 1" nothing more happens.
> 
> it feels like there is some issue with larger package from the other side.
> 
> tcpdump from a bad client unable to get mail shows:
> 
> 19:47:50.946266 IP (tos 0x0, ttl 127, id 19315, offset 0, flags [DF], 
> length: 48) client.1815 > server.110: S [tcp sum ok] 
> 3838110372:3838110372(0) win 65535 <mss 1460,nop,nop,sackOK>
> 
> 19:47:50.989986 IP (tos 0x0, ttl 127, id 24652, offset 0, flags [DF], 
> length: 48) server.110 > client.1815: S [tcp sum ok] 
> 376748423:376748423(0) ack 3838110373 win 65535 <mss 1400,nop,nop,sackOK>
> 
> 19:47:50.990126 IP (tos 0x0, ttl 127, id 19316, offset 0, flags [DF], 
> length: 40) client.1815 > server.110: . [tcp sum ok] 1:1(0) ack 1 win 65535
> 
> 19:47:51.034310 IP (tos 0x0, ttl 127, id 24656, offset 0, flags [DF], 
> length: 140) server.110 > client.1815: P 1:101(100) ack 1 win 65535
> 
> 19:47:51.034561 IP (tos 0x0, ttl 127, id 19317, offset 0, flags [DF], 
> length: 74) client.1815 > server.110: P 1:35(34) ack 101 win 65435
> 
> 19:47:51.078620 IP (tos 0x0, ttl 127, id 24657, offset 0, flags [DF], 
> length: 45) server.110 > client.1815: P [tcp sum ok] 101:106(5) ack 35 
> win 65501
> 
> 19:47:51.078840 IP (tos 0x0, ttl 127, id 19318, offset 0, flags [DF], 
> length: 55) client.1815 > server.110: P 35:50(15) ack 106 win 65430
> 
> 19:47:51.130881 IP (tos 0x0, ttl 127, id 24666, offset 0, flags [DF], 
> length: 74) server.110 > client.1815: P 106:140(34) ack 50 win 65486
> 
> 19:47:51.131129 IP (tos 0x0, ttl 127, id 19319, offset 0, flags [DF], 
> length: 46) client.1815 > server.110: P [tcp sum ok] 50:56(6) ack 140 
> win 65396
> 
> 19:47:51.181633 IP (tos 0x0, ttl 127, id 24668, offset 0, flags [DF], 
> length: 54) server.110 > client.1815: P [tcp sum ok] 140:154(14) ack 56 
> win 65480
> 
> 19:47:51.182402 IP (tos 0x0, ttl 127, id 19320, offset 0, flags [DF], 
> length: 48) client.1815 > server.110: P [tcp sum ok] 56:64(8) ack 154 
> win 65382
> 
> 19:47:52.613277 IP (tos 0x0, ttl 127, id 19337, offset 0, flags [DF], 
> length: 48) client.1815 > server.110: P [tcp sum ok] 56:64(8) ack 154 
> win 65382
> 
> 19:47:52.662321 IP (tos 0x0, ttl 127, id 24718, offset 0, flags [DF], 
> length: 40) server.110 > client.1815: . [tcp sum ok] 1554:1554(0) ack 64 
> win 65472
> 
> the two last package with hex dump
> 
> 19:45:33.909104 IP (tos 0x0, ttl 127, id 18214, offset 0, flags [DF], 
> length: 48) client.1808 > server.110: P [tcp sum ok] 56:64(8) ack 154 
> win 65382
> 0x0000: 4500 0030 4726 4000 7f06 0fc4 0a10 888c  E..0G&@.........
> 0x0010: 0a10 0832 0710 006e e2af ddd2 1456 405f  ...2...n.....V@_
> 0x0020: 5018 ff66 1af7 0000 5245 5452 2031 0d0a  P..f....RETR.1..
> 
> 19:45:33.968763 IP (tos 0x0, ttl 127, id 20411, offset 0, flags [DF], 
> length: 40) server.110 > client.1808: . [tcp sum ok] 1554:1554(0) ack 64 
> win 65472
> 0x0000: 4500 0028 4fbb 4000 7f06 0737 0a10 0832  E..(O.@....7...2
> 0x0010: 0a10 888c 006e 0710 1456 45d7 e2af ddda  .....n...VE.....
> 0x0020: 5010 ffc0 e8ff 0000 0000 0000 0000       P.............
> 
> 
> The ghost in me says that it can be some thing with MTU, can it be that?
> I'm not an IP TCP expert, but a brief analyze of good and bad client , 
> the first SYN on good client has "mss 1260" while bad client has "mss 
> 1460".
> Generally the bad client is Win98se and win2k,
> but there is some winxpp with the same issue.
> 
> 
> setup:
> Linux dist Gentoo 2004.3
> Kernel 2.6.11-gentoo-r4
> kernel patched with
>     linux-2.6.11-mppe-mppc-1.3
>     patch-o-matic-ng-20050322 CLASSIFY
>     patch-o-matic-ng-20050322 ownercmd
>     patch-o-matic-ng-20050322 psd
>     patch-o-matic-ng-20050322 time
>     patch-o-matic-ng-20050322 IPMARK
>     patch-o-matic-ng-20050322 TARPIT
>     patch-o-matic-ng-20050322 XOR
>     patch-o-matic-ng-20050322 ipp2p
> iptables-1.3.1
> bridge-utils-0.9.6-r1
> 
> 
> Iterface desc:
> eth0:  External network (internet)
> eth1:  Local network (office)
> eth2:  DMZ
> eth3:  Local network (ipsec)
> ppp+:  Dial-in VPN
> tun01: gre tunnel
> br0:   Bridge network eth1 and eth3
> 
> 
> Directions how to counter this problem is warmly welcome,
> 
> take care,
> ::Beppe
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> http://lists.osdl.org/mailman/listinfo/bridge
> 


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-04-04 18:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-04 18:26 [Bridge] Some clients are unable to connect fully to the other side Beppe
2005-04-04 18:58 ` [Bridge] Some clients are unable to connect fully to the other side.[SOLVED] Beppe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.