Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgpnMEVBLR44V.pgp Description: PGP signature
RE: ipfw + natd = some sites won't work :-S
Seeing snippet of your firewall rules is not giving us enough info to work on. You have to post complete rule set because of the way rules are processed. Also an explanation of your private network layout and how you connect to the internet is needed. List sites you can not access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Frank de Bot Sent: Monday, May 09, 2005 6:42 PM To: freebsd-questions@freebsd.org Subject: ipfw + natd = some sites won't work :-S Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Emanuel Strobl wrote: Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. I'm not using an ADSL with PPPoE. But the configuration used is kinda non-standard. I'll try to explain with a little drawing: = Laptop = IP: 10.0.5.21 (/24) | | = Server 1 = IP: 10.0.5.2 |IP: 10.0.3.1 | | (ipip tunnel) | = Server 2 = IP: 10.0.3.2 |IP %external_ip% | % internet % Server 1 is a Linux box Server 2 is the FreeBSD performing the NAT Tracerouting occures without anyproblem. From the laptop to the internet 10.0.5.2 - 10.0.3.2 - %internet% During testing I've also dumped the whole firewall exept the points written in the starting post. The behaviour stays exactly the same. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
The ipfw rules standing without any other rules and '65535 allow ip from any to any' as last rule give the same behaviour. So it's not a firewall case. The network layout is posted in my reaction to Emanuel. Sites I can't access are: www.tweakers.net www.fok.nl www.yahoo.com www.userfriendly.org www.thinkgeek.com Sites i CAN access: www.google.com www.gmail.com www.fastclick.net fbsd_user wrote: Seeing snippet of your firewall rules is not giving us enough info to work on. You have to post complete rule set because of the way rules are processed. Also an explanation of your private network layout and how you connect to the internet is needed. List sites you can not access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Frank de Bot Sent: Monday, May 09, 2005 6:42 PM To: freebsd-questions@freebsd.org Subject: ipfw + natd = some sites won't work :-S Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 01:04 schrieb Frank de Bot: Emanuel Strobl wrote: Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. I'm not using an ADSL with PPPoE. But the configuration used is kinda non-standard. I'll try to explain with a little drawing: = Laptop = IP: 10.0.5.21 (/24) = Server 1 = IP: 10.0.5.2 |IP: 10.0.3.1 | | (ipip tunnel) = Server 2 = IP: 10.0.3.2 |IP %external_ip% % internet % Server 1 is a Linux box Server 2 is the FreeBSD performing the NAT Tracerouting occures without anyproblem. From the laptop to the internet 10.0.5.2 - 10.0.3.2 - %internet% The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry During testing I've also dumped the whole firewall exept the points written in the starting post. The behaviour stays exactly the same. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgprDecoTwkHs.pgp Description: PGP signature
Re: ipfw + natd = some sites won't work :-S
Emanuel Strobl wrote: The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry Which tunnel forms don't experience the reducing of mss? I've chosen for a ipip tunnel because it was a tunnen solutions which seemed to be the most simple. Once I got that working I was planning to change it to VPN or IPSec tunnel. I got my reason for having that tunnel between the boxes (Server 2 is a server far apart from Server 1) Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 01:19 schrieb Frank de Bot: Emanuel Strobl wrote: The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry Which tunnel forms don't experience the reducing of mss? I've chosen for Hm, I don't have that handy in my mind right now. I had to look for some RFCs but it's quiet late here in germany, if I knew it by rote I'd tell you. I have similar configurations with IPSec without that problem (IPSec (ESP) is another protocol parallel to IP, not a IP in IP tunnel) -Harry a ipip tunnel because it was a tunnen solutions which seemed to be the most simple. Once I got that working I was planning to change it to VPN or IPSec tunnel. I got my reason for having that tunnel between the boxes (Server 2 is a server far apart from Server 1) Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgp4O5PuF7BMx.pgp Description: PGP signature