Re: ipfw + natd => some sites won't work :-S

From: Emanuel Strobl (Emanuel.strobl_at_gmx.net)
Date: 05/10/05

  • Next message: fbsd_user: "RE: ipfw + natd => some sites won't work :-S" 
    To: freebsd-questions@freebsd.org
Date: Tue, 10 May 2005 00:50:58 +0200

    Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot:
    > Hi,
    >
    > I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like
    > Google for instance does work, but many other don't. All other protocols

    I guess you're using an A-DSL line with PPPoE, right?
    If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the
    maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't
    know the machine behind the NAT box. Your NAT box has to alter the mss
    field in the TCP header because many sites have wrong configured firewalls
    which simply block all ICMP traffic, so the error from your router "must
    fragment" never reaches to originating host. So the sent packaet is too
    big to go over your line and the "Must Fragment" bit is ingnored... you'll
    never receive what you've requested.

    I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with
    "max-mss".

    -Harry

    > seems to be working properly. But why are sites failing to do anything?
    > I got running natd with the verbose option and successfull request of
    > google is indentical to a random other site :S
    > The firewall I use is rather big. the most important piece is:
    >
    > 01200 723 652298 divert 8668 ip from any to 82.94.238.70 via fxp0
    > 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any
    > 01200 0 0 allow ip from any to 10.0.5.0/24
    > 01201 524 85399 allow ip from 82.94.238.70 to any
    > 01201 3 144 allow ip from any to 82.94.238.70
    > 01500 871494 216106437 allow tcp from any to any established
    >
    >
    > /etc/natd.conf is:
    >
    > alias_address %external_ip%
    > verbose
    >
    >
    > It just puzzles me why only some http request would fail and everything
    > works fine!
    > Anyone got any idea?
    >
    >
    > Thanks in advanced,
    >
    > Frank de Bot
    > _______________________________________________
    > freebsd-questions@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    > To unsubscribe, send any mail to
    > "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: fbsd_user: "RE: ipfw + natd => some sites won't work :-S"

    Relevant Pages

    • Re: Sending a keep alive signal to remote terminal
      ... idle for more than an hour. ... terminal status request. ... On a normal telnet type session, the timeout is controlled by..umm. ... I know that a telnet via NAT closes on me simply because the stateful NAT tables time out after a while. ...
      (comp.os.linux.misc)
    • Synchronizer question
      ... We use the Cisco DSL modem to NAT the ... In other words, an external request ... Cisco admits a problem with NAT. ... requests for xxx.xxx.44.82 and the other handling requests for 10.0.0.24? ...
      (microsoft.public.access.replication)
    • Re: Remote Assistance Error
      ... > request is behind a NAT and has enabled the UPnP. ... what is the make and model of NAT router? ... or is the DSL modem in bridge mode? ... If the request is being sent by e-mail, ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: ipfw + natd => some sites wont work :-S
      ... >>I got my FreeBSD set up to do nat, ... > I guess you're using an A-DSL line with PPPoE, ... >>It just puzzles me why only some http request would fail and everything ...
      (freebsd-questions)
    • =?Windows-1252?Q?Re:_Website_=FCber_NAT_Adresse_nicht_erreichbar?=
      ... verwende sogar xyz funktioniert nur eben der aufruf direkt über die NAT IP ... als ob das Routing nicht funktioniert. ... Kommt der Request denn überhaupt ... beim IIS in irgendeiner Form an? ...
      (microsoft.public.de.inetserver.iis)