Dunno if relevant, but a long time ago, routing ethernet over an internal SLIP connection (don't ask, fiber is much better), connections were real flaky until I upped the MTU on the SLIP connection to 1500. Seems Microsoft likes to put a "Don't Fragment" into the TCP/IP setup and silently ignores fragmented packets, or at least did. If both ends like full 1500 byte packets and one end cannot accept fragments (either end?) .....
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Javier Villavicencio Sent: Sunday, June 12, 2005 10:28 PM To: Serban Giuroiu Cc: misc@openbsd.org Subject: Re: Some Sites Don't Load Behind pf NAT Serban Giuroiu wrote: > Hello. > > I have an OpenBSD 3.7 box set up as a router and > server for my home network. It connects to the > Internet through the kernel PPPoE driver. Naturally, I > use pf on that box. Everything runs smoothly, but > there are certain websites that do not load properly > from machines behind the NAT router. > > When trying to access http://mail.yahoo.com or > http://linuxhardware.org, an initial connection is > made, but no further data comes in as the web browser > sits and waits. However, if I open those pages in lynx > from the OpenBSD box, they load without any problems. > Most other websites load correctly from all machines > on my network. > Had the very same problem. > Searching Google, I found a similar problem posted to > this list a couple years ago in which an MTU setting > and fragmentation were the cause of the strage > behavior > (http://www.monkey.org/openbsd/archive/tech/0211/msg00163.html). Didn't found this one. > The poster added "scrub out all no-df max-mss 1452" to > his pf configuration and that fixed his problem. > > As recommended in the pppoe(4) man page, I set the MSS > for the pppoe interface to 1440. I played around with > different MSS's and scrubbing out the DF bit, but my > problem remains. Does anyone know what is causing this > strange problem and how to fix it? > [snip] As Shawn says, I installed squid as a transparent proxy trying to solve this, but some of the sites worked, and some didn't. This is what (I think, too much trial and error before everything worked fine) solved that problem: scrub in all fragment reassemble random-id scrub out on pppoe0 max-mss 1452 Just to help you testing, this is what I did with the sites that didn't opened correctly: From the machine behind the nat that isn't working well, *telnet* to that site on port 80, and try to get the same page writing (or pasting) the HTTP GET command, for example: "GET / HTTP/1.0" (without quotes). Trying that you will find that if you type wrong thing on telnet, generally, most sites send you an error page. Funny though, it seems that some error pages aren't big enough to "fill" a tcp packet and you get the error page fine, while the actual page u're trying to see is so big (the html text) that the MTU/MSS screws up. Hope it helps, Salu2. Javier.
