| View previous topic :: View next topic |
| Author |
Message |
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
 Posted: Fri Nov 26, 2004 2:00 am Post subject: Interesting problem with browsing (through my gateway) |
 |
|
So, first of all, i have just changed my cable network to ADSL. With cable, i've never had a problem. But now....
So almost everything is constant. I recompiled the kernel (from 2.6.9...mm.. to 2.6.10-rc1-mm2) with ppp support, and nothing else changed. I made it after this howto: https://forums.gentoo.org/viewtopic.php?t=77326. I also made some minor changes in my firewall script, but I think it doesn't matter, because I'm not limiting anything from internet or to internet by ip/hostname; and my problem is:
There are some web sites (till now only web sites and only 2 or 3) I can't download (like my ISP's homepage). I don't know why I can't. I tried a lot of things, but I can't guess what's happening. Last time I tried with this iptables config:
| Code: | for a in `cat /proc/net/ip_tables_names`; do
$ipt -F -t $a
$ipt -X -t $a
if [ $a == nat ]; then
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
elif [ $a == mangle ]; then
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P INPUT ACCEPT
$ipt -t mangle -P FORWARD ACCEPT
$ipt -t mangle -P OUTPUT ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
elif [ $a == filter ]; then
$ipt -t filter -P INPUT ACCEPT
$ipt -t filter -P FORWARD ACCEPT
$ipt -t filter -P OUTPUT ACCEPT
fi
done
$ipt -t nat -A POSTROUTING -o $NET_IFACE -s $LOC_NET -j MASQUERADE |
I was watching logs by iptables, I was sitting in front of iptstate, and now i have no more ideas. Pls help, what to watch, to log, .... |
|
| Back to top |
|
 |
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
| Posted: Fri Nov 26, 2004 2:04 am Post subject: |
|
|
ohh yes, when I shared my connection over an ADSL-router, it worked. But i want a Gentoo router  |
|
| Back to top |
|
|
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
| Posted: Fri Nov 26, 2004 9:01 am Post subject: |
|
|
I'm using dnsmasq, probably that's the problem. | Code: | Nov 26 09:51:26 glw dnsmasq[22697]: query audit.median.hu[A] from 192.168.1.2
Nov 26 09:51:26 glw dnsmasq[22697]: forwarded audit.median.hu to 195.38.96.20
Nov 26 09:51:26 glw dnsmasq[22697]: reply audit.median.hu is 193.68.35.131
Nov 26 09:51:26 glw dnsmasq[22697]: reply audit.median.hu is 193.68.35.136
Nov 26 09:51:26 glw dnsmasq[22697]: reply audit.median.hu is 193.68.35.149
Nov 26 09:51:26 glw dnsmasq[22697]: reply audit.median.hu is 193.91.69.232
Nov 26 09:51:26 glw dnsmasq[22697]: query audit.webinform.hu[A] from 192.168.1.2
Nov 26 09:51:26 glw dnsmasq[22697]: forwarded audit.webinform.hu to 195.38.96.20
Nov 26 09:54:26 glw dnsmasq[22697]: query audit.webinform.hu[A] from 192.168.1.2
Nov 26 09:54:26 glw dnsmasq[22697]: forwarded audit.webinform.hu to 195.38.97.1
Nov 26 09:54:26 glw dnsmasq[22697]: forwarded audit.webinform.hu to 195.38.96.20
Nov 26 09:54:26 glw dnsmasq[22697]: reply audit.webinform.hu is 194.149.10.58
Nov 26 09:54:26 glw dnsmasq[22697]: reply audit.webinform.hu is 194.149.10.56
Nov 26 09:54:26 glw dnsmasq[22697]: reply audit.webinform.hu is 194.149.10.57
|
| Code: | Nov 26 09:56:29 glw dnsmasq[22697]: query audit.median.hu[A] from 192.168.1.2
Nov 26 09:56:29 glw dnsmasq[22697]: cached audit.median.hu is 193.68.35.131
Nov 26 09:56:29 glw dnsmasq[22697]: cached audit.median.hu is 193.91.69.232
Nov 26 09:56:29 glw dnsmasq[22697]: cached audit.median.hu is 193.68.35.149
Nov 26 09:56:29 glw dnsmasq[22697]: cached audit.median.hu is 193.68.35.136
Nov 26 09:56:29 glw dnsmasq[22697]: query audit.webinform.hu[A] from 192.168.1.2
Nov 26 09:56:29 glw dnsmasq[22697]: forwarded audit.webinform.hu to 195.38.96.20
Nov 26 09:56:29 glw dnsmasq[22697]: query ads.adverticum.net[A] from 192.168.1.2
Nov 26 09:56:29 glw dnsmasq[22697]: forwarded ads.adverticum.net to 195.38.96.20
Nov 26 09:56:29 glw dnsmasq[22697]: reply ads.adverticum.net is 195.228.242.101
Nov 26 09:56:34 glw dnsmasq[22697]: query audit.webinform.hu[A] from 192.168.1.2
Nov 26 09:56:34 glw dnsmasq[22697]: forwarded audit.webinform.hu to 195.38.97.1
Nov 26 09:56:34 glw dnsmasq[22697]: forwarded audit.webinform.hu to 195.38.96.20
Nov 26 09:56:34 glw dnsmasq[22697]: reply audit.webinform.hu is 194.149.10.57
Nov 26 09:56:34 glw dnsmasq[22697]: reply audit.webinform.hu is 194.149.10.58
Nov 26 09:56:34 glw dnsmasq[22697]: reply audit.webinform.hu is 194.149.10.56
|
The browsers can't do anything whit audit.webinform.hu. Something should be wrong with that... |
|
| Back to top |
|
|
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
| Posted: Fri Nov 26, 2004 9:45 am Post subject: |
|
|
Oh no, audit.median.hu makes the same problem. The only clue I've got, that all these pages want to make some kind of secure|authorized connection....
Any ideas? |
|
| Back to top |
|
|
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
| Posted: Sat Nov 27, 2004 10:54 am Post subject: |
|
|
Solved:
| Code: | | iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
|
|
| Back to top |
|
|
mr_daemon
n00b
Joined: 03 May 2004
Posts: 20
Location: Quebec, Canada
|
| Posted: Sun Nov 28, 2004 11:09 pm Post subject: |
|
|
I _was_ about to mention the clamp trick.
I believe using rp-pppoe (which can be used in kernel mode as well) does this automatically.
_________________
[img:e623161278]http://www.underwares.org/~supernaut/public_files/projects/dynsig/sig.php[/img:e623161278] |
|
| Back to top |
|
|
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
| Posted: Mon Nov 29, 2004 8:51 am Post subject: |
|
|
| I'm using rp-pppoe in kernel mode... i think it's not automatic |
|
| Back to top |
|
|
tazer
n00b
Joined: 29 Nov 2004
Posts: 3
|
| Posted: Mon Nov 29, 2004 5:19 pm Post subject: |
|
|
You can also set the MTU of your interface to 1492, as PPPoX adds an 8-byte header to all packets.
| Code: | | ifconfig eth0 mtu 1492 |
or put it in your /etc/conf.d/net file:
| Code: | | iface_eth0="xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx mtu 1492" |
Of course, if you have a lot of PC's you're NAT'ng, then the already provided solution is optimal.
See also: http://www.nat32.com/htm/mtu.htm |
|
| Back to top |
|
|
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
| Posted: Mon Nov 29, 2004 5:55 pm Post subject: |
|
|
| rpppoe sets the mtu 1492 automatically... so it wasn't a problem.. |
|
| Back to top |
|
|
mr_daemon
n00b
Joined: 03 May 2004
Posts: 20
Location: Quebec, Canada
|
| Posted: Mon Nov 29, 2004 6:51 pm Post subject: |
|
|
oh, well it seems to try.
| Quote: |
Nov 29 12:37:35 angeldust pppd[22088]: RP-PPPoE plugin version 3.3 compiled against pppd 2.4.2
Nov 29 12:37:35 angeldust pppd[22088]: pppd 2.4.2 started by root, uid 0
Nov 29 12:37:50 angeldust pppd[22088]: PPP session is 353
Nov 29 12:37:50 angeldust pppd[22088]: Using interface ppp0
Nov 29 12:37:50 angeldust pppd[22088]: Connect: ppp0 <--> eth0
Nov 29 12:37:50 angeldust pppd[22088]: Couldn't increase MTU to 1500
Nov 29 12:37:50 angeldust pppd[22088]: Couldn't increase MRU to 1500
Nov 29 12:37:50 angeldust pppd[22088]: Couldn't increase MTU to 1500
Nov 29 12:37:50 angeldust pppd[22088]: Couldn't increase MRU to 1500
Nov 29 12:37:51 angeldust pppd[22088]: PAP authentication succeeded
Nov 29 12:37:51 angeldust pppd[22088]: peer from calling number 00:90:1A:40:C3:0A authorized
Nov 29 12:37:51 angeldust pppd[22088]: local IP address 66.11.179.1
Nov 29 12:37:51 angeldust pppd[22088]: remote IP address 66.11.190.1
|
I find this rather annoying but it is only cosmetic.
And rp-pppoe DOES clamps the mss.
From pppoe.conf:
| Quote: |
# Do you want to clamp the MSS? Here's how to decide:
# - If you have only a SINGLE computer connected to the ADSL modem, choose
# "no".
# - If you have a computer acting as a gateway for a LAN, choose "1412".
# The setting of 1412 is safe for either setup, but uses slightly more
# CPU power.
CLAMPMSS=1412
#CLAMPMSS=no
|
_________________
[img:e623161278]http://www.underwares.org/~supernaut/public_files/projects/dynsig/sig.php[/img:e623161278] |
|
| Back to top |
|
|
tazer
n00b
Joined: 29 Nov 2004
Posts: 3
|
| Posted: Mon Nov 29, 2004 8:03 pm Post subject: |
|
|
| wrekno wrote: | | rpppoe sets the mtu 1492 automatically... so it wasn't a problem.. |
My mistake, I thought you were having problems with a box on the LAN side of the router. rpppoe will set the correct MTU on the router itself, but LAN clients would still have problems in that scenario, without the clampmss or mtu settings. |
|
| Back to top |
|
|
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
| Posted: Mon Nov 29, 2004 9:17 pm Post subject: |
|
|
Mr daemon: The first one is the same for me. MTU is 1492 for me, without changing anything.
In my pppoe.conf that's the same too, but it seems to be irrelevant...
Last edited by wrekno on Mon Nov 29, 2004 9:20 pm; edited 1 time in total |
|
| Back to top |
|
|
wrekno
n00b
Joined: 26 Feb 2003
Posts: 39
Location: Budapest, Hungary
|
| Posted: Mon Nov 29, 2004 9:20 pm Post subject: |
|
|
| tazer wrote: | | My mistake, I thought you were having problems with a box on the LAN side of the router. rpppoe will set the correct MTU on the router itself, but LAN clients would still have problems in that scenario, without the clampmss or mtu settings. |
You were right, I had the problems on the LAN side, but I didn't have to change anything with the MTU. It was OK for me. |
|
| Back to top |
|
|
|
Networking & Security
