On 04/30/2012 09:58 PM, Lito Kusnadi wrote: > I managed to get multi ISPs firewall running with 4 zones: - net > (internet) - loc - dmz - road (openvpn rwarrior) > > Browsing from loc to internet, vpn to dmz, vpn to loc are working > fine with reasonable response. However, loc to dmz traffic is having > issue. > > I found when browsing from a workstation in the LAN (loc) zone to a > web server hosted in DMZ zone takes a very long time. > > I did packet analyzer using wireshark. I found that the data traffic > from the web server is being fragmented and eventually experience > out-of-order fragmented packets. This results in slow speed and the > data from the web server eventually not delivered completely to the > browser (e.g. only partial data). > > wireshark reports "TCP segment of a reassembled PDU" for many times > until the "out-of-order segment" trace. > > Google around about fragmentation, the first thing to look at is MTU. > However, when I move a LAN workstation to dmz zone, by just changing > the IP address to suit the dmz subnet (not playing with the MTU > setup), I have no problem browsing the web server. So that eliminates > MTU as the cause.
Well, there is certainly nothing in a Shorewall configuration that can *cause* fragmentation. What are the MTU settings on the web server and on the LAN workstation? If either is > 1500, you can set CLAMPMSS=Yes in shorewall.conf and see if that helps. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
