[LARTC] Firewall+NAT: only succeeds for SOME external sites??

[LARTC] Firewall+NAT: only succeeds for SOME external sites??

[Chris Rankin]

Hi,

I have a very simple 2-box network, both running Linux
2.4.7, and connected to the Internet using DSL (pppd
2.4.1 + pppoe). The first box acts as a gateway + NAT
for the second box, and the boxes are connected via a
crossover ethernet cable.

Now I *can* connect to the Internet from the second
box. However, there are some sites that I can only
access from the gateway and I'm running out of ideas
on how to solve this.

Sites that work for BOTH boxes include:
http://news.bbc.co.uk
http://freshmeat.net
http://lwn.net

Sites that work for ONLY the gateway box include:
http://linuxtoday.com
http://setiathome.ssl.berkeley.edu

Also, I can receive Real streams from news.bbc.co.uk
on either machine, but can only receive Real streams
from http://lordoftherings.net on the gateway!

Can anyone suggest anything, please? I have ensured
that the second machine has ip_forward=0 and
*/rp_filter=0, but I can't think of anything else that
might cause it to drop/lose packets. It's routing
table is trivial (from memory):

$ route add 192.168.0.0 netmask 255.255.255.0
192.168.0.1
$ route add default gw 192.168.0.1

where 192.168.0.1 is the gateway, of course, and this
machine has address 192.168.0.2.

Any help here would be greatly appreciated,
Cheers,
Chris



__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Firewall+NAT: only succeeds for SOME external sites??

[Stef Coene]

On Friday 21 September 2001 00:24, Chris Rankin wrote:
> Hi,
>
> I have a very simple 2-box network, both running Linux
> 2.4.7, and connected to the Internet using DSL (pppd
> 2.4.1 + pppoe). The first box acts as a gateway + NAT
> for the second box, and the boxes are connected via a
> crossover ethernet cable.
>
> Now I *can* connect to the Internet from the second
> box. However, there are some sites that I can only
> access from the gateway and I'm running out of ideas
> on how to solve this.
Maybe you enabled ecn in the kernel.  Somehere in the /proc tree there is a 
file with ecn in it.  When you find it, you have enabled ecn.  You can 
disable it by doing 'echo 1 > /proc/<file that you find>'

Stef



-- 

stef.coene@docum.org        stef.coene@belgacom.net
More QOS info : http://docum.org/
Title : "Using Linux as bandwidth manager"

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Firewall+NAT: only succeeds for SOME external sites??

[Chris Rankin]

Hi,
Yes, the problem turned out to be the MTU on the link
between the boxes. My new routing table on the second
machine looks like this, and is a complete success:

# ip route list
192.168.0.0/24 dev eth0  scope link 
127.0.0.0/8 dev lo  scope link 
default via 192.168.0.1 dev eth0  advmss 1452

Cheers,
Chris

--- Henry Yen <lartc-mail@AegisInfoSys.com> wrote:
> On Thu, Sep 20, 2001 at 03:24:19AM -0700, Chris
> Rankin wrote:
> > I have a very simple 2-box network, both running
> Linux
> > 2.4.7, and connected to the Internet using DSL
> (pppd
> > 2.4.1 + pppoe). The first box acts as a gateway +
> NAT
> > for the second box, and the boxes are connected
> via a
> > crossover ethernet cable.
> > 
> > Now I *can* connect to the Internet from the
> second
> > box. However, there are some sites that I can only
> > access from the gateway and I'm running out of
> ideas
> > on how to solve this.
> > 
> > Sites that work for BOTH boxes include:
> > http://news.bbc.co.uk
> > http://freshmeat.net
> > http://lwn.net
> > 
> > Sites that work for ONLY the gateway box include:
> > http://linuxtoday.com
> > http://setiathome.ssl.berkeley.edu
> 
> a more efficient setup for web surfing might be to
> run squid proxy on
> the gateway box, and point to it as proxy from the
> second box.
> 
> > Also, I can receive Real streams from
> news.bbc.co.uk
> > on either machine, but can only receive Real
> streams
> > from http://lordoftherings.net on the gateway!
> > 
> > Can anyone suggest anything, please? I have
> ensured
> > that the second machine has ip_forward=0 and
> > */rp_filter=0, but I can't think of anything else
> that
> > might cause it to drop/lose packets. It's routing
> > table is trivial (from memory):
> > 
> > $ route add 192.168.0.0 netmask 255.255.255.0
> > 192.168.0.1
> > $ route add default gw 192.168.0.1
> > 
> > where 192.168.0.1 is the gateway, of course, and
> this
> > machine has address 192.168.0.2.
> 
> MTU path discovery problem?  ECN issue (are both
> boxes running the
> exact same distro/kernel level)?
> 
> for the former, try "mtu path discovery broken
> pppoe".
> for the latter, try "ecn linux break".
> both on groups.google.com.
> 
> also, try out tcpdump (with options) to spy on
> what's going on between the
> machines.
> -- 
> Henry Yen <henry@AegisInfoSys.com>             
> Aegis Information Systems, Inc.
> Senior Systems Programmer                      
> Hicksville, New York


__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Firewall+NAT: only succeeds for SOME external sites??

[sebastien Robart]

i use pppoe and nat too. I have problems with 2 sites (63.238.77.237 and 
195.101.41.250) only when i change the mru option (rp-pppoe), not the 
mtu. And problem are only for box behind the gateway, directly from the 
gateway i have no problem.
seem a masq + mru bug. (don't ask me what is mru, i didn't have found 
something on it)

maybe you change mru with rp-pppoe too.

seb


Chris Rankin wrote:

>Hi,
>Yes, the problem turned out to be the MTU on the link
>between the boxes. My new routing table on the second
>machine looks like this, and is a complete success:
>
># ip route list
>192.168.0.0/24 dev eth0  scope link 
>127.0.0.0/8 dev lo  scope link 
>default via 192.168.0.1 dev eth0  advmss 1452
>
>Cheers,
>Chris
>
>--- Henry Yen <lartc-mail@AegisInfoSys.com> wrote:
>
>>On Thu, Sep 20, 2001 at 03:24:19AM -0700, Chris
>>Rankin wrote:
>>
>>>I have a very simple 2-box network, both running
>>>
>>Linux
>>
>>>2.4.7, and connected to the Internet using DSL
>>>
>>(pppd
>>
>>>2.4.1 + pppoe). The first box acts as a gateway +
>>>
>>NAT
>>
>>>for the second box, and the boxes are connected
>>>
>>via a
>>
>>>crossover ethernet cable.
>>>
>>>Now I *can* connect to the Internet from the
>>>
>>second
>>
>>>box. However, there are some sites that I can only
>>>access from the gateway and I'm running out of
>>>
>>ideas
>>
>>>on how to solve this.
>>>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Firewall+NAT: only succeeds for SOME external sites??

[bert hubert]

On Fri, Sep 21, 2001 at 11:43:10AM +0200, sebastien Robart wrote:
> i use pppoe and nat too. I have problems with 2 sites (63.238.77.237 and 
> 195.101.41.250) only when i change the mru option (rp-pppoe), not the 
> mtu. And problem are only for box behind the gateway, directly from the 
> gateway i have no problem.
> seem a masq + mru bug. (don't ask me what is mru, i didn't have found 
> something on it)

When using pppoe with masquerading, or any networking at all, use MSS
Clamping, either in the pppoe-daemon or in iptables itself. This solves a
lot or problems with path MTU discovery.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
Trilab                                 The Technology People
Netherlabs BV / Rent-a-Nerd.nl           - Nerd Available -
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Firewall+NAT: only succeeds for SOME external sites??

[sebastien Robart]

With rp-pppoe, mss clamping doesn't seem working. I have same problem 
with the 2 sites.

With iptables, i have add the tcpmss target and add a rule as indicate 
in kernel doc
"iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu"
and it work perfectly now. I can change mtu and mru (still don't know 
what is mru) without problem.

thx

seb


bert hubert wrote:

>On Fri, Sep 21, 2001 at 11:43:10AM +0200, sebastien Robart wrote:
>
>>i use pppoe and nat too. I have problems with 2 sites (63.238.77.237 and 
>>195.101.41.250) only when i change the mru option (rp-pppoe), not the 
>>mtu. And problem are only for box behind the gateway, directly from the 
>>gateway i have no problem.
>>seem a masq + mru bug. (don't ask me what is mru, i didn't have found 
>>something on it)
>>
>
>When using pppoe with masquerading, or any networking at all, use MSS
>Clamping, either in the pppoe-daemon or in iptables itself. This solves a
>lot or problems with path MTU discovery.
>
>Regards,
>
>bert
>



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/