| View previous topic :: View next topic |
| Author |
Message |
kristoczaj
Apprentice
Joined: 18 Apr 2004
Posts: 201
Location: Poland
|
 Posted: Sun May 15, 2005 10:54 pm Post subject: router works but I can't view some webpages [SOLVED] |
 |
|
Here's my situation:
I have a network:
router: a pentium 166 mmx with 2 ethernet cards and an adsl modem: eagle-usb - my internet connection
my computer: athlon xp 2500+, connected to the router by eth0
other computer: windows, doesn't matter right now [i think]
On my computer i can do most of the internet stuff: browse www, ping, ssh, email, except for:
cannot connect to http://studia.elka.pw.edu.pl or http://home.elka.pw.edu.pl - the browser finds that page and sais: waiting for... and it waits forever
I can ping those pages thogh:
| Code: |
# ping studia.elka.pw.edu.pl
PING elektron.elka.pw.edu.pl (194.29.160.2) 56(84) bytes of data.
64 bytes from elektron.elka.pw.edu.pl (194.29.160.2): icmp_seq=1 ttl=247 time=30.8 ms
64 bytes from elektron.elka.pw.edu.pl (194.29.160.2): icmp_seq=2 ttl=247 time=38.4 ms
|
Also, I cannot get mail throgh pop3 from mion.elka.pw.edu.pl. However i can fortunatelly ssh mion.elka.pw.edu.pl
Those pages work when i view them directly from the router.
Info about my router:
| Code: |
# cat /etc/conf.d/net
ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
ifconfig_eth1=( "192.168.1.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
|
| Code: |
# cat /etc/ipkungfu/forward.conf
FORWARD_POLICY=ACCEPT
:192.168.0.2:::ACCEPT
:192.168.1.2:::ACCEPT
|
| Code: |
# cat /etc/ipkungfu/ipkungfu.conf
EXT_NET="ppp0"
INT_NET="eth0 eth1"
GATEWAY=1
ALLOWED_TCP_IN="22 4661:4680"
ALLOWED_UDP_IN="22 4661:4680"
SUSPECT="REJECT"
KNOWN_BAD="REJECT"
PORT_SCAN="REJECT"
GET_IP="AUTO"
|
| Code: |
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 192.168.0.0/16 !192.168.0.0/16
RETURN all -- 10.0.0.0/8 !10.0.0.0/8
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/16 anywhere
MASQUERADE all -- 10.0.0.0/8 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
I don't know what info else to put here, please ask for any other info if needed..
If anyone can help me, I'd apreciate it very much..
Regards
Last edited by kristoczaj on Mon May 16, 2005 2:16 pm; edited 1 time in total |
|
| Back to top |
|
 |
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Mon May 16, 2005 12:12 am Post subject: |
|
|
Do those pages work from your router machine?
Is Explicit Congestion Notification turned on or off on the router? | Code: | | /sbin/sysctl net.ipv4.tcp_ecn |
will tell you. If it is, try turning it off by editing the corresponding line in /etc/sysctl.conf (or adding | Code: | | net.ipv4.tcp_ecn = 1 |
to it) and running
Edit: Er, duh, about my first question - yes, your post actually said you can. Never mind  .
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin
Last edited by moocha on Mon May 16, 2005 12:51 am; edited 1 time in total |
|
| Back to top |
|
|
Valhlalla
Apprentice
Joined: 22 Sep 2003
Posts: 161
Location: Sydney, Australia.
|
| Posted: Mon May 16, 2005 12:17 am Post subject: |
|
|
How have you set up dns?
I sometimes get problems like this when my dns setup is screwed up.
_________________
Pork Chop Sandwiches, Oh Sh*t! |
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Mon May 16, 2005 12:51 am Post subject: |
|
|
It's not DNS since he can ping the machine hostname just fine.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Mon May 16, 2005 8:26 am Post subject: |
|
|
shot in the dark + dirty trick
lower your MTU size, e.g. to 1400
HTH
T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
kristoczaj
Apprentice
Joined: 18 Apr 2004
Posts: 201
Location: Poland
|
| Posted: Mon May 16, 2005 9:33 am Post subject: |
|
|
| moocha wrote: |
Is Explicit Congestion Notification turned on or off on the router? | Code: | | /sbin/sysctl net.ipv4.tcp_ecn |
will tell you. If it is, try turning it off by editing the corresponding line in /etc/sysctl.conf (or adding | Code: | | net.ipv4.tcp_ecn = 1 |
to it) and running
|
I tried turning it on [it was off] and after that no effect 
| Code: |
root@router # sysctl net.ipv4.tcp_ecn
net.ipv4.tcp_ecn = 0
root@router # vi /etc/sysctl.conf
root@router # sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.tcp_ecn = 1
net.ipv4.conf.default.rp_filter = 1
|
so I turned it back off.. What does it do anyway? |
|
| Back to top |
|
|
kristoczaj
Apprentice
Joined: 18 Apr 2004
Posts: 201
Location: Poland
|
| Posted: Mon May 16, 2005 9:36 am Post subject: |
|
|
| moocha wrote: | | It's not DNS since he can ping the machine hostname just fine. |
For DNS I just copied the routers /etc/resolv.conf to my computer, but as You said, it cant be the DNS  |
|
| Back to top |
|
|
kristoczaj
Apprentice
Joined: 18 Apr 2004
Posts: 201
Location: Poland
|
| Posted: Mon May 16, 2005 9:44 am Post subject: |
|
|
| Think4UrS11 wrote: | shot in the dark + dirty trick
lower your MTU size, e.g. to 1400
HTH
T. |
I managed to find out that MTU is a parameter of eth* and can be displayed:
| Code: |
root@router / # ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:40:F6:14:07:72
inet addr:192.168.1.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1500 errors:0 dropped:0 overruns:0 frame:0
TX packets:1260 errors:0 dropped:0 overruns:0 carrier:0
collisions:4 txqueuelen:1000
RX bytes:148240 (144.7 Kb) TX bytes:968287 (945.5 Kb)
Interrupt:11 Base address:0x6200
|
But I cant find, how to set it..
Edit: What is MTU anyway? |
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Mon May 16, 2005 10:21 am Post subject: |
|
|
| Code: | | ifconfig eth1 mtu 1400 |
If thatfixes it, you could add that line to /etc/conf.d/local.start.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
kristoczaj
Apprentice
Joined: 18 Apr 2004
Posts: 201
Location: Poland
|
| Posted: Mon May 16, 2005 12:10 pm Post subject: |
|
|
Works!!!  I did:
on my computer:
| Code: |
root@mlotek # ifconfig eth0 mtu 1400
|
and it started working. Doing the same on the router didn't work, but doesn't matter..
Thank you all for the help.
Btw, what's MTU?
Regards |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Mon May 16, 2005 12:17 pm Post subject: |
|
|
MTU = Maximum Transfer Unit
means the biggest size (in bytes) every data packet you send can have without the need to fragment it. In Ethernet the default is 1500, when using PPPoE its 1492 and so on.
... good to know my dark shot hit the target ... 
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon May 16, 2005 12:20 pm Post subject: |
|
|
Maximum Transmission Unit - the size a source packet may be before it will be broken up into more than one segment for transmission.
It is no mystery that doing this on your router won't make a difference, since the MTU is propagated - i.e. small packets won't normally be rebuilt into larger ones by any routers in between.
So either the source machine (your desktop) has to set it correctly, or the router has to explicitly rebuild all packets before they go out onto the wire - which is a pain.
You can probably increase up he MTU to 1492 by the way.
The ethernet default is 1500 - which is 8 bytes too large for some types of connection...
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
kristoczaj
Apprentice
Joined: 18 Apr 2004
Posts: 201
Location: Poland
|
| Posted: Mon May 16, 2005 1:45 pm Post subject: |
|
|
Yep, adaptr and Think4UrS11 , You're absolutly right , this works:
| Code: | | root@mlotek # ifconfig eth0 mtu 1492 |
and this doesn't:
| Code: | | root@mlotek # ifconfig eth0 mtu 1493 |
I don't have to add, that in my case, the router uses ppp..
Many thanks for the info!
I wonder how windows will cooperate with this..
Regards |
|
| Back to top |
|
|
LV426
n00b
Joined: 13 May 2005
Posts: 17
Location: Germany
|
| Posted: Mon May 16, 2005 2:55 pm Post subject: |
|
|
Well, you most likely will still run into some problems, because Windows will still try to use an MTU 1500 for outgoing
connections, but you can add this line to your Boxes firewall script:
| Code: |
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
With this, your Router will set the MSS field of the TCP packets to just the right size, and your windows
box will never know what happend and just work fine
_________________
Experience is a hard teacher because she gives the test first, the lesson afterwards. |
|
| Back to top |
|
|
kristoczaj
Apprentice
Joined: 18 Apr 2004
Posts: 201
Location: Poland
|
| Posted: Mon May 16, 2005 8:48 pm Post subject: |
|
|
| LV426 wrote: |
| Code: |
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
Correct me if Im wrong:
1. I can add the above rule before the other rules [I don't understand iptables very well]. In my case in file /etc/ipkungfu/custom.conf
2. Adding that rule should make my computer [gentoo] connected to the router through eth1 work with the network connection even if the MTU is 1500. And the windows computer connected to eth0 should work too. |
|
| Back to top |
|
|
kristoczaj
Apprentice
Joined: 18 Apr 2004
Posts: 201
Location: Poland
|
| Posted: Mon May 16, 2005 9:17 pm Post subject: |
|
|
OK, I added the folowing line to my routers /etc/ipkungfu/custom.conf
| Code: |
$IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
which adds that rule before all other rules.
I set the MTU on my computer back to 1500 to see if it works, and for now it works.. I know that it might just work by accident, because of some chaching or somthing, so I'll know for shure in the future..
And the windows computer - I'll test as soon as I get a cable for connecting computers eth-to-eth [I don't know how it's called, crossed or somthing?]. I'll probably have this cable tomorrow or the day after, and then I'll write if it works..
Thanks again for the tips and information.
Regards |
|
| Back to top |
|
|
|
Networking & Security
