On Wed, Jan 30, 2002 at 05:44:48PM +0100, Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote a message of 27 lines which said:
> I have a Debian router which connects to an ADSL/PPPoE line (therefore > with a PPP interface and a MTU of 1492). > > Behind it are Linux machines, MS-Windows boxes and MacOS toys, all > NATed (i have only one IP address) by Netfilter/iptables (router OK, the best solution, by far, because it needs a change only on the router, is to use "MSS clamping", an option of recent pppoe (not in potato) which modify on the fly the MSS parameter of TCP connections (other IP packets are unaffected but fragmentation should handle it, see below). So, I changed my /etc/ppp/peers/provider to have: pty "pppoe -I eth1 -T 80 -m 1412" Now, everyone is happy, without needing an extra software. Now, the theory. If I don't change the MTU of "client" machines, fragmentation will occur and everything will work (see later for TCP-specific problems and do not forget also that some stupid firewalls may break fragmentation if they stop some ICMP packets), albeit with slower performances (so you may want to change the MTU for speeding up UDP or other non-TCP applications). spoutnik:/# traceroute www.gitoyen.net 1500 traceroute to www.gitoyen.net (80.67.160.2), 30 hops max, 1500 byte packets 1 elsa.netaktiv.com (172.21.0.1) 2.937 ms 2.533 ms 3.839 ms 2 loopback1-lns201-tip-telehouse.nerim.net (62.4.16.251) 141.470 ms 141.409 ms 145.209 ms ... If I forbid fragmentation, it will no longer work: spoutnik:# traceroute -F www.gitoyen.net 1500 traceroute to www.gitoyen.net (80.67.160.2), 30 hops max, 1500 byte packets 1 elsa.netaktiv.com (172.21.0.1) 2.883 ms 4.812 ms 2.467 ms 2 elsa.netaktiv.com (172.21.0.1) 2.487 ms !F-1492 2.525 ms !F-1492 2.461 ms !F-1492 If I change the MTU, I will no longer emit such packets and performances will be better (providing the application choose wisely its packet size): spoutnik:# ifconfig eth0 mtu 1492 spoutnik:# traceroute www.gitoyen.net 1500 traceroute to www.gitoyen.net (80.67.160.2), 30 hops max, 1500 byte packets traceroute: sendto: Message too long 1 traceroute: wrote www.gitoyen.net 1500 chars, ret=-1 Now, for TCP. Many TCP programs/stacks will set DF (Don't fragment) and will rely on the ICMP packet (which tells the maximum size, see the 1492 in the above message) to fix the size of segments (warning: some firewalls may stupidly stop these packets). But they may announce wrong MSS (maximum segment size). Either you fix every application/TCP stack or you use "MSS clamping" (the -m option of pppoe) which will hack it on the fly and allow TCP applications to send only small enough packets. Thanks a lot for the explanations and for the help on my problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]