Re: [Shorewall-users] DNAT corruption with Multi-ISP: MSS related?

John Candlish Mon, 07 Mar 2016 07:44:40 -0800

On Mon, Mar 7, 2016 at 3:02 PM, Simon Hobson <li...@thehobsons.co.uk> wrote:
> but it's a well known problem in that PPPoE needs to add an additional (8 
> octet) header to the packet, so if the pack is already larger than MSS-8 
> octets long then you'll be over size.
> I think it's normal to specify MTU of 1492 for the PPP interface, and also 
> specify (from memory, you'll need to check the docs) clamp_mss which will set 
> a config which has the netfilter code alter any MSS values


I've had PPPoE going for years, and also multi-ISP with a 2nd
interface that has a 1500 MTU.  The problem started when trying to
configure the cablemodem interface for inbound HTTP/HTTPS traffic with
DNAT.

Specifically, DNAT is sending alternating MSS sizes of 1460/1452 to
its target DMZ interface

------------
19   8.415806 78.225.169.33 -> 81.63.145.197 TCP 66 1118 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=2 SACK_PERM=1
 20   8.415820 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1118 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 21   8.416322 78.225.169.33 -> 81.63.145.197 TCP 66 1119 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1452 WS=2 SACK_PERM=1
 22   8.416340 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1119 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 42   8.662606 78.225.169.33 -> 81.63.145.197 TCP 66 1123 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=2 SACK_PERM=1
 43   8.662615 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1123 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 62   8.720045 78.225.169.33 -> 81.63.145.197 TCP 66 1126 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1452 WS=2 SACK_PERM=1
 63   8.720053 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1126 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 64   8.724314 78.225.169.33 -> 81.63.145.197 TCP 66 1127 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=2 SACK_PERM=1
 65   8.724320 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1127 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 66   8.736798 78.225.169.33 -> 81.63.145.197 TCP 66 1129 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1452 WS=2 SACK_PERM=1
 67   8.736805 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1129 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
------------

Comparing the traffic at the firewall and at the DMZ-webserver I see

--------webserver------------
 19   8.415806 78.225.169.33 -> 81.63.145.197 TCP 66 1118 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=2 SACK_PERM=1
 20   8.415820 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1118 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 21   8.416322 78.225.169.33 -> 81.63.145.197 TCP 66 1119 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1452 WS=2 SACK_PERM=1
 22   8.416340 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1119 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 23   8.457060 78.225.169.33 -> 81.63.145.197 TCP 54 1118 → 80 [ACK]
Seq=1 Ack=1 Win=65536 Len=0
 24   8.461834 78.225.169.33 -> 81.63.145.197 HTTP 453 GET / HTTP/1.1
 25   8.461861 81.63.145.197 -> 78.225.169.33 TCP 54 80 → 1118 [ACK]
Seq=1 Ack=400 Win=30336 Len=0
 26   8.462251 78.225.169.33 -> 81.63.145.197 TCP 54 1119 → 80 [ACK]
Seq=1 Ack=1 Win=65536 Len=0
 29   8.469759 81.63.145.197 -> 78.225.169.33 HTTP 2974 HTTP/1.1 200
OK  (text/html)
 30   8.469772 81.63.145.197 -> 78.225.169.33 TCP 2974 80 → 1118 [ACK]
Seq=2921 Ack=400 Win=30336 Len=2920
 31   8.469908 81.63.145.197 -> 78.225.169.33 TCP 2777 80 → 1118 [PSH,
ACK] Seq=5841 Ack=400 Win=30336 Len=2723
 32   8.517495 78.225.169.33 -> 81.63.145.197 TCP 54 1118 → 80 [ACK]
Seq=400 Ack=2921 Win=65536 Len=0
 33   8.519271 78.225.169.33 -> 81.63.145.197 TCP 54 1118 → 80 [ACK]
Seq=400 Ack=5841 Win=65536 Len=0
 34   8.521031 78.225.169.33 -> 81.63.145.197 TCP 54 1118 → 80 [ACK]
Seq=400 Ack=7301 Win=65536 Len=0
 35   8.631519 78.225.169.33 -> 81.63.145.197 HTTP 487 GET
/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta
HTTP/1.1
 36   8.632931 81.63.145.197 -> 78.225.169.33 HTTP 2974 HTTP/1.1 200
OK  (text/css)
 37   8.633081 81.63.145.197 -> 78.225.169.33 TCP 1510 80 → 1118 [PSH,
ACK] Seq=11484 Ack=833 Win=31360 Len=1456
 38   8.641895 78.225.169.33 -> 81.63.145.197 HTTP 479 GET
/wp-content/plugins/bbpress/templates/default/css/bbpress.css?ver=2.5.8-5815
HTTP/1.1
-----------

------firewall---------
95   9.139742 78.225.169.33 -> 5.145.19.28  TCP 66 1118 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=2 SACK_PERM=1
 96   9.139973  5.145.19.28 -> 78.225.169.33 TCP 66 80 → 1118 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 97   9.140249 78.225.169.33 -> 5.145.19.28  TCP 66 1119 → 80 [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=2 SACK_PERM=1
 98   9.140454  5.145.19.28 -> 78.225.169.33 TCP 66 80 → 1119 [SYN,
ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
 99   9.180996 78.225.169.33 -> 5.145.19.28  TCP 60 1118 → 80 [ACK]
Seq=1 Ack=1 Win=65536 Len=0
100   9.185742 78.225.169.33 -> 5.145.19.28  HTTP 453 GET / HTTP/1.1
101   9.186032  5.145.19.28 -> 78.225.169.33 TCP 54 80 → 1118 [ACK]
Seq=1 Ack=400 Win=30336 Len=0
102   9.186194 78.225.169.33 -> 5.145.19.28  TCP 60 1119 → 80 [ACK]
Seq=1 Ack=1 Win=65536 Len=0
103   9.193957  5.145.19.28 -> 78.225.169.33 HTTP 1514 HTTP/1.1 200 OK
 (text/html)
104   9.193966  5.145.19.28 -> 78.225.169.33 TCP 1514 80 → 1118 [ACK]
Seq=1461 Ack=400 Win=30336 Len=1460
105   9.193976  5.145.19.28 -> 78.225.169.33 TCP 1514 80 → 1118 [ACK]
Seq=2921 Ack=400 Win=30336 Len=1460
106   9.193978  5.145.19.28 -> 78.225.169.33 TCP 1514 80 → 1118 [ACK]
Seq=4381 Ack=400 Win=30336 Len=1460
107   9.194002  5.145.19.28 -> 78.225.169.33 TCP 1514 80 → 1118 [ACK]
Seq=5841 Ack=400 Win=30336 Len=1460
108   9.194004  5.145.19.28 -> 78.225.169.33 TCP 1317 80 → 1118 [PSH,
ACK] Seq=7301 Ack=400 Win=30336 Len=1263
109   9.241428 78.225.169.33 -> 5.145.19.28  TCP 60 1118 → 80 [ACK]
Seq=400 Ack=2921 Win=65536 Len=0
110   9.243208 78.225.169.33 -> 5.145.19.28  TCP 60 1118 → 80 [ACK]
Seq=400 Ack=5841 Win=65536 Len=0
111   9.244951 78.225.169.33 -> 5.145.19.28  TCP 60 1118 → 80 [ACK]
Seq=400 Ack=7301 Win=65536 Len=0
112   9.355393 78.225.169.33 -> 5.145.19.28  HTTP 487 GET
/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta
HTTP/1.1
113   9.357113  5.145.19.28 -> 78.225.169.33 HTTP 1514 HTTP/1.1 200 OK
 (text/css)
114   9.357119  5.145.19.28 -> 78.225.169.33 TCP 1514 80 → 1118 [ACK]
Seq=10024 Ack=833 Win=31360 Len=1460
115   9.357224  5.145.19.28 -> 78.225.169.33 TCP 1510 80 → 1118 [PSH,
ACK] Seq=11484 Ack=833 Win=31360 Len=1456
116   9.365831 78.225.169.33 -> 5.145.19.28  HTTP 479 GET
/wp-content/plugins/bbpress/templates/default/css/bbpress.css?ver=2.5.8-5815
HTTP/1.1
-----------

I don't understand what is going on with MSS and the packet lengths on
the DMZ interface.

Thanks
jCandlish
.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT corruption with Multi-ISP: MSS related?

Reply via email to