| View previous topic :: View next topic |
| Author |
Message |
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
 Posted: Fri May 04, 2012 4:58 am Post subject: [Solved] Win7 Can't Access Some Sites Behind Gentoo Router |
 |
|
I think I'm asking in a wrong forum, but I have a hunch I might be able to get some useful guides from gentoo experts, so here it is.
I have a simple gentoo box acting as a router. A bunch of boxes are sharing Internet connection through gentoo, and gentoo is running Shorewall (firewall).
| Code: | | Internet ---- gentoo ---- switch ---- bunch o' boxes |
The bunch of boxes is composed of several Linux distributions as well as Windows XP and Windows 7 (x64). Everything works fine, except that I can't access only certain web sites from Windows 7; all other web sites are OK, except a few that the web browsers (Firefox, Chrome, IE) try to open but eventually time out. Some other sites, such as Amazon and Google, take a lot longer than others to load.
Funny thing is, when I set the browser to use gentoo's Squid (web proxy), all the troubling sites work fine, so it must be something between Windows 7 and gentoo. Windows XP and all other Linux boxes don't have this problem. I tried turning off Windows 7's firewall and gentoo's Shorewall without success.
I'd appreciate any suggestions on what to look for. Thank you.
__
sol
Last edited by solamour on Sat May 05, 2012 6:19 am; edited 1 time in total |
|
| Back to top |
|
 |
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Fri May 04, 2012 8:08 am Post subject: |
|
|
a few random shots in the dark, for whatever that's worth:
-IPV6
-MTU problem
Those are the two things that spring to mind that would be added/removed from the picture based on going through a proxy or not
start with DNS lookups from the Win7 box, maybe a packet cap, see if it's trying to connect to an IPV6 address
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Fri May 04, 2012 8:30 pm Post subject: |
|
|
I thought about IPv6, but other than checking it off in Win7, I'm not sure what I can do about it.
I read something about MTU, but messing with it didn't make much difference, possibly because I wasn't doing it right.
Just to make sure I'm not missing anything, brought the Win7 laptop to work and verified everything worked as expected. But when I bring the laptop home, and it wouldn't load certain sites.
Frankly I really don't care too much about the troubling sites, because I don't go there often enough to bother me, and when I need to, I can always use the web proxy server in Gentoo router. But it's still puzzling, and I'm not sure I'd feel good about it.
__
sol |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23101
|
| Posted: Fri May 04, 2012 10:33 pm Post subject: |
|
|
| What is the output of ip a on the Gentoo machine? Blank the public IP address if you want. I want to see the interface properties, rather than their actual addresses. Have you checked a packet capture of the Windows 7 machine accessing the problematic site versus an internal Linux machine (not the Gentoo router) accessing that same site successfully? |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sat May 05, 2012 2:31 am Post subject: |
|
|
Check that your firewall is not blocking ICMP packets (used e.g. for MTU negotiation). |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Sat May 05, 2012 5:23 am Post subject: |
|
|
Here is the output of "ip a".
| Code: | 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether 00:01:c0:04:03:f3 brd ff:ff:ff:ff:ff:ff
inet --.---.---.--/25 brd 255.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:01:c0:04:0c:ba brd ff:ff:ff:ff:ff:ff
inet 192.168.0.254/24 brd 192.168.0.255 scope global eth1
inet6 fe80::201:c0ff:fe04:cba/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
38: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 00:25:9c:06:13:8f brd ff:ff:ff:ff:ff:ff
|
Not sure how to capture packets from Windows 7, but if you'd give me some directions, I'd be able to share the result.
Firewall was the first place I checked, but making it wide open didn't make any difference. Besides, it doesn't seem to explain why Windows XP, Linux, Android phone, iPod Touch, and even Wii are OK.
Also if I hook up Windows 7 directly to the cable modem with nothing in between, everything is working fine.
__
sol |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sat May 05, 2012 5:34 am Post subject: |
|
|
Check the MTU that Windows 7 is using. I'm sure you can google as to how.
That's the lowest setting - why so low?
| Quote: | link/ether 00:01:c0:04:03:f3 brd ff:ff:ff:ff:ff:ff
inet --.---.---.--/25 brd 255.255.255.255 scope global eth0 |
So it's only set up for IPV6? |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Sat May 05, 2012 6:18 am Post subject: |
|
|
Changing MTU of gentoo's eth0 from 576 to 1500 fixed the problem. Not sure why it was set to 576, because I don't remember doing it.
| Code: | | # ifconfig eth0 mtu 1500 |
Thank you everyone for taking time to respond. I knew Gentoo forum is the place to go.
__
sol |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sat May 05, 2012 6:25 am Post subject: |
|
|
| Probably your dhcp changes it. |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Sat May 05, 2012 7:54 am Post subject: |
|
|
Indeed. I noticed that gentoo's MTU was changed back to 576 automatically, and when I commented out "option interface_mtu" in "/etc/dhcpcd.conf", the value has been staying as is so far. Thanks for the help.
__
sol |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Sat May 05, 2012 9:00 am Post subject: |
|
|
| solamour wrote: |
Not sure how to capture packets from Windows 7, but if you'd give me some directions, I'd be able to share the result.
|
realize this is solved, but for future reference Wirehsark is available for Windows.
Download, run installer, capture=>interfaces=>start
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23101
|
| Posted: Sat May 05, 2012 4:08 pm Post subject: |
|
|
I wanted to see the network capture as done by the Gentoo router, but with clients running on the working and non-working internal systems.
With regard to the MTU, I have encountered DHCP servers that suggest the minimum MTU to the DHCP client, even when, as in this case, a more common MTU of 1500 works at least as well, if not better. These servers are usually operated by individuals who are unaware that their server is wrong, unable to fix it, or uninterested in fixing it. Advertising an unnecessarily low MTU is bad practice, so anyone who can fix their server to advertise the proper MTU should do so. In my opinion, anyone who runs a DHCP server exposed to end users should know that this is bad practice and should have fixed it before the end users ever discovered the bad advertisement. As described in WP: MTU, there are some situations where advertising a smaller MTU is better, but I doubt that any of those justifications apply here. |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Sun May 06, 2012 6:41 am Post subject: |
|
|
When I ran Wireshark on Windows 7 to capture data, I noticed that with gentoo box's MTU set 576, a lot of "Time-to-live exceeded (Fragment reassembly time exceeded)" were in the log. With 1500, everything went through smoothly. Perhaps that might be the cause some sites load properly while some others don't.
I'd share the network capture from the gentoo router, if someone shows me how to do so. The gentoo box doesn't have the graphical interface, so I need to use a console-based tool.
__
sol |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Sun May 06, 2012 8:31 am Post subject: |
|
|
| solamour wrote: | When I ran Wireshark on Windows 7 to capture data, I noticed that with gentoo box's MTU set 576, a lot of "Time-to-live exceeded (Fragment reassembly time exceeded)" were in the log. With 1500, everything went through smoothly. Perhaps that might be the cause some sites load properly while some others don't.
I'd share the network capture from the gentoo router, if someone shows me how to do so. The gentoo box doesn't have the graphical interface, so I need to use a console-based tool.
__
sol |
tcpdump will work on the gentoo box
e.g.
| Code: |
tcpdump -s0 -w somefilename.pcap
|
wireshark can also save .cap/.pcap (i think it's just file=>save, but i dont have wireshark handy here)
in addition you can read the pcap made from tcpdump on the gentoo machine, using Wireshark on the Windows machine (usual File=>Open stuff).
there are more flags you can add to tcpdump to prune out data, but the -s0 makes sure full packets are captured, and the -w specifies to write the output to a file (with the file name taken as the argument to -w )
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Mon May 07, 2012 8:34 am Post subject: |
|
|
Not sure it's safe to share the capture files with the world (let me know if that's not the case), but in the name of experiment, here they are. The captures were done from the gentoo box using tcpdump.
http://dl.dropbox.com/u/9810590/mtu1500_good.pcap
http://dl.dropbox.com/u/9810590/mtu576_bad.pcap
I see a lot of texts in red color entries when I open "mtu576_bad.pcap" in Wireshark, which, I believe, is not a good sign. Anyhow, I now know what the problem is and how to solve it. The troubling web sites are loading blazingly fast. Thank you all.
__
sol |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
