Mihai Tanasescu wrote:
Artyom Viklenko wrote:
If you use PF, try to add rule
scrub in all fragment rassemble no-df
And VERY carefully check your ruleset. May be you block icmp in some
place
and PMTU doesn't work.
As as last resort you can add
max-mss <some-size> to scrub rule. <some-size> may be some value in
range of 1300-1460.
Sometimes it helps.
Tried playing with the pf options.
I have removed from mpd the iface mtu option and now I only have set
iface mtu 1460.
Still when trying to access www.msn.com (and similar sites) I see with
tcpdump:
From my systems www.msn.com resolves in 65.54.152.126.
When I connect from my book to my freebsd router with pptp - I see mtu 1396
bytes
on ng interface:
ng5: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1396
inet 192.168.35.254 --> 192.168.35.1 netmask 0xffffffff
I connect to Internet via ADSL/PPPoE which runs to same freebsd router with mpd.
MTU is 1496. In pf I have
scrub in all fragment reassemble no-df max-mss 1452
so, mss is notaffected by max-mss when tcp connection establishes from notebook.
But www.msn.com sends packets with mss = 1356 bytes which corresponds with ng
interface mtu of 1396.
router runs freebsd 5.5 with mpd 3.18 - yes, have plans to upgrade :)
in mpd.conf my pptp server configured with
pptp_std:
set bundle enable compression
set bundle disable multilink
set bundle enable noretry
set bundle max-logins 0
set bundle enable radius-auth
set bundle enable radius-acct
set iface disable on-demand
set iface disable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set iface mtu 1460
set iface enable radius-idle radius-session radius-route
set link yes acfcomp protocomp
set link yes pap
set link enable chap-md5 chap-msv1 chap-msv2 chap
set link mtu 1460
set link mru 1460
set link keep-alive 10 60
set link max-redial -1
set ipcp yes vjcomp
set ipcp dns 192.168.32.253 192.168.32.254
set ipcp nbns 192.168.32.253
set ipcp ranges 192.168.35.254/32 192.168.35.1/28
set ipcp enable radius-ip
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e56
set ccp yes mpp-e128
set ccp yes mpp-stateless
set pptp enable incoming
set pptp disable originate
set pptp disable windowing
set pptp disable delayed-ack
set radius retries 3
set radius timeout 3
set radius server 192.168.32.253 XXXXXXXXXXXXXXX 1812 1813
set radius me 192.168.32.254
set radius acct-update 300
All works fine. :)
After lowering the MSS from pf the communication started like this:
11:25:02.980179 IP (tos 0x0, ttl 127, id 31152, offset 0, flags [DF],
proto: TCP (6), length: 48) 86.105.56.134.65390 > 207.68.183.32.80: S,
cksum 0x977a (correct), 942644994:942644994(0) win 65535 <mss
1300,nop,nop,sackOK>
(the outgoing mss got lowered to 1300)
86.105.56.134 = my test IP address on which I'm NAT-ing packets from ng0
with pf
11:25:03.190826 IP (tos 0x0, ttl 63, id 40014, offset 0, flags [none],
proto: TCP (6), length: 44) 207.68.183.32.80 > 86.105.56.134.65390: S,
cksum 0x5fb4 (correct), 3691466834:3691466834(0) ack 942644995 win 8190
<mss 1400>
11:25:03.191677 IP (tos 0x0, ttl 127, id 31155, offset 0, flags [DF],
proto: TCP (6), length: 40) 86.105.56.134.65390 > 207.68.183.32.80: .,
cksum 0x9733 (correct), 1:1(0) ack 1 win 65535
11:25:03.192210 IP (tos 0x0, ttl 127, id 31157, offset 0, flags [DF],
proto: TCP (6), length: 804) 86.105.56.134.65390 > 207.68.183.32.80: P
1:765(764) ack 1 win 65535
11:25:03.422363 IP (tos 0x0, ttl 63, id 40290, offset 0, flags [DF],
proto: TCP (6), length: 1440) 207.68.183.32.80 > 86.105.56.134.65390: P
1:1401(1400) ack 765 win 8190
11:25:03.422417 IP (tos 0x0, ttl 64, id 58490, offset 0, flags [DF],
proto: ICMP (1), length: 56) 86.105.56.134 > 207.68.183.32: ICMP
86.105.56.134 unreachable - need to frag (mtu 1396), length 36
IP (tos 0x0, ttl 63, id 40290, offset 0, flags [DF], proto: TCP
(6), length: 1440) 207.68.183.32.80 > 86.105.56.134.65390: [|tcp]
The is the ng0 established MTU:
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1396
inet 192.168.1.129 --> 192.168.1.130 netmask 0xffffffff
I have upgraded MPD to 4.2
pkg_info | grep mpd
mpd-4.2.2 Multi-link PPP daemon based on netgraph(4)
I have disabled windowing:
set pptp disable windowing
I have enabled the multilink for a test:
set bundle enable multilink
The Ethernet interface (rl0 - 86.105.56.134) that is used both as the
endpoint for tunnel connections and for NAT for anything not destined to
the local net:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
Also I'm upgrading the system today from 6.1 to 6.2.
I tried transferring data inside my net without going through the pf NAT
but unfortunately I'm not seeing any problem here that could help me
replicate the icmp unreachable need frag mtu 1396 problem.
Have you got any more ideas on what I should try ?
--
Sincerely yours,
Artyom Viklenko.
-------------------------------------------------------
[EMAIL PROTECTED] | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve - http://www.freebsd.org
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
