Re: Router on 6.0-stable fails to route tcp packets due to NAT?? malfunction

On Mon, Dec 26, 2005 at 05:56:31PM +0200, Oleg Tarasov wrote:
O> Further analysis brought me to a conclusion that the problem is in MTU
O> values. Changing MTU on client machines made everything work fine -
O> but as I know this is not right. If packets are routed between
O> different MTU interfaces they have to be fragmented or something. If
O> fragmentation is impossible due to "dont fragment" bit set an icmp
O> packet "Need Fragmentation" should be sent to packet sender.
O>
O> As I know web and ftp packets dont have "dont fragment" bit set so
O> packet fragmentation should apply normally what doesn't happen.
O>
O> Reading my firewall configuration we can see that any icmp packets can
O> go freely through it so the reason of such malfunction is unknown to
O> me. Also there are rules that allow passing of fragmented packets
O> freely. Anyway the firewall configuration was copied from another
O> production system which also has different MTU's on interfaces.
O>
O> Can anyone tell me what is the problem?

The problem is that you've got a PPPoE link between local net and internet.

(internet cloud, MTU 1500)-(your ISP)-[mtu 1492]-(your server)-[mtu 1500]-(your
clients).

So, when your Windows create a new outgoing connection they set TCP MSS
value to 1460, since they don't know about a 1492 MTU link on the way.
And this link limits TCP MSS to 1452.

There are numerous solutions to fix this:

1) ports/net/tcpmssd - a divert daemon, like natd. You need to divert
traffic thru it, and it will alter the TCP MSS value to set limit.
2) ng_tcpmss(4) - a netgraph node, implementing same code in kernel.
You usually need ng_ipfw(4) to divert traffic via ng_tcpmss(4)
3) Recently I have committed ng_tcpmss support into mpd, but this
code is not yet included into any new release. If you are brave,
you can checkout mpd from CVS and use it. It will configure ng_tcpmss
node automatically.

--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: SonicWall VPN says Fragmented Packet Dropped
    ... Scott Moseman wrote: ... I imagine that it'll only confirm that the packets are fragmented, and not necessarily showing me how to resolve it. ... Tried dropping the mtu size on the PC so that the packets don't get fragmented? ... I found in the past that some applications would use the largest packet they could, by the time it's been wrapped up in the security etc it always needed fragmentation. ...
    (comp.dcom.vpn)
  • [REVS] OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability
    ... Recently Amit'has been looking at the OpenBSD PRNG implementation for DNS ... also use this PRNG for IP fragmentation ID normalization feature (e.g. ... in "regular" IP packets and raw IP packets. ... o Idle-scanning, O/S fingerprinting, host alias detection, traffic ...
    (Securiteam)
  • A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vu
    ... DNS transaction ID (OpenBSD ported BIND 9 into their code tree, ... fragmentation ID normalization feature (e.g. "scrub out random- ... packets and raw IP packets. ...
    (Bugtraq)
  • Re: Router on 6.0-stable fails to route tcp packets due to NAT?? malfunction
    ... Further analysis brought me to a conclusion that the problem is in MTU ... packet "Need Fragmentation" should be sent to packet sender. ... As I know web and ftp packets dont have "dont fragment" bit set so ...
    (freebsd-net)
  • Re: PMTU discovery
    ... [Where is fragmentation done?] ... but only the packets which are not allowed to be ... packet is fragmented later if it is bigger than the MTU ... > then router code always have pmtu values of next hop touter. ...
    (comp.os.linux.networking)