/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
Hello Fuzzy Fox and List...! Fuzzy Fox wrote: > Allen Brandt <[EMAIL PROTECTED]> wrote: > > > > I can browse the internet from the masq-client no problemo. > > BUT some websites do not come through. > > I think you have correctly determined that this is an MTU issue. > > > I tried an MTU value of 1460, 1490, 1492 and just for fun 1500 and > > none of them work. I can't ping www.morningstar.com (my chosen > > non-reachable website - works with a direct NT4 internet connection > > fine) from the masq-server. > > Do you mean to say that you are able to "ping www.morningstar.com" and > get a response when using a direct NT4 connection? I cannot get a ping > response from them, ever, but I can open web pages from the site. I > don't think you should depend on "ping" to tell you about your > connectivity to remote internet sites. Too many sites block ICMP (which > blocks ping). I got it working with a value of 1490. That worked. Thanks for all the tips everyone. I made some mistakes. I assumed you could ping www.morningstar.com and I also did not edit the NT registry correctly. For now www.morningstar.com works - I'll have to wait and see if other websites do not come through. Read further. > > I tried editing /etc/ppp/options with different mru and mrt values but > > I always get the same results. Then, I noticed running /sbin/ifconfig > > that the MTU was staying at 1492 for pppoe anyway. > > You will find that 1492 is the maximum MTU size for PPPoE. You will not > be able to set it larger than that. > > > Only running the command "/sbin/ifconfig ppp0 mtu 1500" would change > > the value listed. > > You will find that this does not work. You see, PPPoE incurs a certain > amount of overhead (eight bytes) per packet. Since the largest ethernet > packet permitted is 1500 bytes, this means the largest PPPoE packet is > eight bytes less than that, or 1492 bytes. > > Coming back to the comment about Morningstar blocking ICMP, this causes > them to fail to realize that they cannot send you a full-sized 1500 byte > packet, because they block the ICMP responses that your PPP gateway > sends back to them, telling them the packets are too large. Not all > sites try to send full-size packets, and not all sites block ICMP, which > is why some web sites work, and others do not. > > You can work around this by changing the MTU not of your gateway Linux > box, but the MTU of your ethernet interfaces BEHIND the gateway. That > is, on your private-net Windows or Linux boxes which use the gateway as > their default route. Right now the linux box is set at 1490 as well as the NT box. Should I remove the 1490 on the Linux box and see if it works? > But that is note a useful method for many people. > > Your best hope is to implement TCPMSS clamping, which causes your > gateway to mangle outgoing connection requests, to inform remote sites > that they should not send packets that are too large. My research > suggests that the iptables command: > > iptables -I FORWARD -p tcp -j TCPMSS --tcp-flags SYN,RST SYN -j TCPMSS \ > --clamp-mss-to-pmtu > > will do the trick. However, I have not yet implemented iptables as my > own firewall solution, so I have not been able to test this. Perhaps > others on this list can verify the correct command, and where to insert > it in your rc.firewall script. iptables is not available on my linux box. I think that is for the 2.4 Kernels. I have a 2.2 Kernel. > -- > [EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience. > sometimes known as David DeSimone || Experience comes from bad judgment." Thanks for all the useful information and explanations. I understand a lot better and things are working (for now!) ciao Allen Brandt _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
