| View previous topic :: View next topic |
| Author |
Message |
simucal
n00b
Joined: 21 Jun 2004
Posts: 65
|
 Posted: Wed Jul 11, 2007 11:27 pm Post subject: Obscure networking problems with a simple masquerading setup |
 |
|
I have a box with eth0 (wan) and eth1 (lan). There is another machine connected to eth1, so that it can use the internet through masquerading. I have not changed much lately, and this has worked great for some time except that recently it starts behaving as if there is packet loss. At first I thought there is something wrong with The actual machine can access the internet without problems. I would appreciate if someone could take a look at my setup to see if they notice anything wrong.
If I do tcpdump, I notice lots of errors like:
| Code: |
yo-in-f99.google.com unreachable - need to frag (mtu 576), length 556
yo-in-f99.google.com.http: tcp 576 [bad hdr length 0 - too short
|
My iptables script is:
| Code: | iptables -F
iptables -t nat -F
iptables -F INPUT
export WAN=eth0
export LAN=eth1
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state --state established -i ${WAN} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
iptables -A INPUT -i ! lo -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done |
| Code: | /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
|
| Code: | Networking --->
<*> Packet socket
[*] Packet socket: mmapped IO
[*] IP: advanced router
[*] IP: policy routing
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<*> Netfilter connection tracking support
<*> "MARK" target support
<*> "limit" match support
<*> Multiple port match support
<*> "state" match support
IP: Netfilter Configuration --->
<*> Netfilter connection tracking support
<*> "MARK" target support
<*> "limit" match support
<*> Multiple port match support
<*> "state" match support
Device Drivers --->
Network device support --->
Ethernet (10 or 100Mbit) --->
[*] EISA, VLB, PCI and on board controllers
<*> nForce Ethernet support
[*] Use Rx and Tx Polling (NAPI) (EXPERIMENTAL)
[*] Ethernet (1000 Mbit) --->
<*> New SysKonnect GigaEthernet support |
_________________
Tranquility can best be reached through indifference to pleasure and pain. |
|
| Back to top |
|
 |
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Wed Jul 11, 2007 11:55 pm Post subject: |
|
|
looks to me like your MTU is very low. Can you check how high your MTU is on the WAN interface?
// SteveB |
|
| Back to top |
|
|
simucal
n00b
Joined: 21 Jun 2004
Posts: 65
|
| Posted: Thu Jul 12, 2007 12:41 am Post subject: |
|
|
How would I go about checking/setting that? I googled around a little bit about MTUs and it seems like something set by ppoe for dialup connections? However I do not have DSL, I use cable which does not require anything and simply works as an ethernet link. The box connected directly to the cable modem does not have such problems, only anything that tries to go through iptables and masquerading to share the internet.
Also, I found someone mentioning MTU as:
| Quote: | the MTU of 1500 was chosen for 10Mbps ethernet and was kept
for 100Mbps and 1Gbps ethernet for backwards compatibility
on mixed networks. However MTU=1500 is too small
for 100Mbps and 1Gbps ethernet. In Gbps ethernet jumbo frames
(ie bigger MTU) is used to increase throughput.
On my LVS performance page I found that decreasing the MTU
decreased max throughput on 100Mbps ethernet. Since the decrease
was approx linear with MTU, I wondered if the linearity would
still be linear beyond 1500, and if increasing the MTU
on 100Mbps would increase max throughput (ignoring
the problem of fragmenting packets once they got off the LAN).
I couldn't increase the MTU above 1500 with ifconfig or ip link.
I found that the MTU seemed to be defined in
linux/include/if_ether.h
as
ETH_DATA_LEN and ETH_FRAME_LEN
and increased these by 1500, recompiled the kernel and net-tools
and rebooted. I still can't install a device with MTU>1500 |
I'm still trying to figure all of this out, but could it be something related to the fact that the onboard cards I have are gigabit and the computer and modem link are 100mbit capable? I'm just guessing.
_________________
Tranquility can best be reached through indifference to pleasure and pain. |
|
| Back to top |
|
|
simucal
n00b
Joined: 21 Jun 2004
Posts: 65
|
| Posted: Mon Jul 30, 2007 3:34 pm Post subject: |
|
|
Anyone?
_________________
Tranquility can best be reached through indifference to pleasure and pain. |
|
| Back to top |
|
|
Edweirdo
Guru
Joined: 28 Jan 2003
Posts: 353
Location: Boston, Mass, USA
|
| Posted: Tue Aug 28, 2007 11:42 pm Post subject: |
|
|
I now have this same problem. I had a set up working for years and the only thing that has changed is that I keep it up to date. I also added a new 100M switch where I only had a 10M before.
An interesting twist is that I can't get bridged networking to work in VMware. In VMware I get the same symptoms. I believe these issues are related. Here is the topic I posted about that: https://forums.gentoo.org/viewtopic-t-569546-highlight-.html
_________________
Life is too short and too important to { take seriously | use Windows }. |
|
| Back to top |
|
|
|
Networking & Security
