Re: MPD and fragmentation
- From: Artyom Viklenko <artem@xxxxxxxxxxxxxx>
- Date: Thu, 26 Jul 2007 09:09:21 +0300
Mihai Tanasescu wrote:
Hello,
With help from another FreeBSD user on this list I was able to set up an MPD pptp server to allow windows machines to connect to it.
Unfortunately now I've stumbled upon some strange behaviors.
First of all I'm getting icmp losses even if I use a test LAN to make a tunnel to the local FBSD machine, but these don't seem to affect my transfer rate when trying to get a large file via HTTP from the same machine.
What bothers me most is that some sites (like msn.com, microsoft.com, etc) don't seem to be loading.
What I first thought about was the mss problem and so I discovered the following:
22:54:36.633254 IP (tos 0x0, ttl 64, id 14254, offset 0, flags [DF], proto: ICMP (1), length: 56) FBSD-IP > 207.68.183.32: ICMP FBSD-IP unreachable - need to frag (mtu 1336), length 36
In my config file I have:
set iface mtu 1500
set link mtu 1440
set iface enable tcpmssfix
My full config is posted here:
http://pastebin.com/m66a3c05f
My system:
FreeBSD 6.1-RELEASE-p17
MPD 4.1
I played a bit with the above mentioned values with no luck unfortunately.
I'm still wondering (don't know if I'm right) if a too large packet comes from 207.68.183.32 why doesn't it get fragmented upon being sent via ng0 -> pptp1 and instead of this happening my machine sends an ICMP unreachable back.
Also I have pf running on that machine with a NAT rule for traffic not destined to the local network (but after several experiments with that nothing changed in regard to the problem I have).
I'm banging my head against the wall as I don't know what else to try anymore.
Can someone help me out ?
If you use PF, try to add rule
scrub in all fragment rassemble no-df
And VERY carefully check your ruleset. May be you block icmp in some place
and PMTU doesn't work.
As as last resort you can add
max-mss <some-size> to scrub rule. <some-size> may be some value in
range of 1300-1460.
Sometimes it helps.
--
Sincerely yours,
Artyom Viklenko.
-------------------------------------------------------
artem@xxxxxxxxxxxxxx | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve - http://www.freebsd.org
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: MPD and fragmentation
- From: Mihai Tanasescu
- Re: MPD and fragmentation
- References:
- MPD and fragmentation
- From: Mihai Tanasescu
- MPD and fragmentation
- Prev by Date: SADB_X_SPDFLUSH message handling for latest version of IPsec
- Next by Date: Re: MPD and fragmentation
- Previous by thread: MPD and fragmentation
- Next by thread: Re: MPD and fragmentation
- Index(es):
Relevant Pages
- NAT / ipfw / GW - FreeBSD 4.10 to Linux Private Network???
... So with the help of all of you I have configure my FreeBSD 4.10 gateway. ...
add 00301 deny tcp from any to any in established ... add 00600 allow icmp from
any to any icmptypes 3 ... (comp.security.firewalls) - NAT / ipfw / GW - FreeBSD 4.10 to Linux Private Network???
... So with the help of all of you I have configure my FreeBSD 4.10 gateway. ...
add 00301 deny tcp from any to any in established ... add 00600 allow icmp from
any to any icmptypes 3 ... (freebsd-questions) - Sourcing ICMP reply to a different ip address
... Is there anyway to source the ICMP reply on ... Client runs traceroute to a
host routed by the FreeBSD router. ... arrives on FreeBSD router's FXP0 interface.
... (freebsd-net) - Re: arp error
... > where FreeBSD is storing the mac address of the old router. ... arp
-a shows you what it has stored. ... No. Blocking all ICMP does cause other faillures
though. ... (comp.unix.bsd.freebsd.misc) - Re: ICMP floods
... >> floods from our FreeBSD server and we can't figure out why. ... What
is being used to detect these ICMP floods? ... (FreeBSD-Security)
