/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Allen Brandt <[EMAIL PROTECTED]> wrote:
>
> I can browse the internet from the masq-client no problemo.
> BUT some websites do not come through.
I think you have correctly determined that this is an MTU issue.
> I tried an MTU value of 1460, 1490, 1492 and just for fun 1500 and
> none of them work. I can't ping www.morningstar.com (my chosen
> non-reachable website - works with a direct NT4 internet connection
> fine) from the masq-server.
Do you mean to say that you are able to "ping www.morningstar.com" and
get a response when using a direct NT4 connection? I cannot get a ping
response from them, ever, but I can open web pages from the site. I
don't think you should depend on "ping" to tell you about your
connectivity to remote internet sites. Too many sites block ICMP (which
blocks ping).
> I tried editing /etc/ppp/options with different mru and mrt values but
> I always get the same results. Then, I noticed running /sbin/ifconfig
> that the MTU was staying at 1492 for pppoe anyway.
You will find that 1492 is the maximum MTU size for PPPoE. You will not
be able to set it larger than that.
> Only running the command "/sbin/ifconfig ppp0 mtu 1500" would change
> the value listed.
You will find that this does not work. You see, PPPoE incurs a certain
amount of overhead (eight bytes) per packet. Since the largest ethernet
packet permitted is 1500 bytes, this means the largest PPPoE packet is
eight bytes less than that, or 1492 bytes.
Coming back to the comment about Morningstar blocking ICMP, this causes
them to fail to realize that they cannot send you a full-sized 1500 byte
packet, because they block the ICMP responses that your PPP gateway
sends back to them, telling them the packets are too large. Not all
sites try to send full-size packets, and not all sites block ICMP, which
is why some web sites work, and others do not.
You can work around this by changing the MTU not of your gateway Linux
box, but the MTU of your ethernet interfaces BEHIND the gateway. That
is, on your private-net Windows or Linux boxes which use the gateway as
their default route.
But that is note a useful method for many people.
Your best hope is to implement TCPMSS clamping, which causes your
gateway to mangle outgoing connection requests, to inform remote sites
that they should not send packets that are too large. My research
suggests that the iptables command:
iptables -I FORWARD -p tcp -j TCPMSS --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu
will do the trick. However, I have not yet implemented iptables as my
own firewall solution, so I have not been able to test this. Perhaps
others on this list can verify the correct command, and where to insert
it in your rc.firewall script.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
