Serban Giuroiu wrote:
Hello.
I have an OpenBSD 3.7 box set up as a router and
server for my home network. It connects to the
Internet through the kernel PPPoE driver. Naturally, I
use pf on that box. Everything runs smoothly, but
there are certain websites that do not load properly
from machines behind the NAT router.
When trying to access http://mail.yahoo.com or
http://linuxhardware.org, an initial connection is
made, but no further data comes in as the web browser
sits and waits. However, if I open those pages in lynx
from the OpenBSD box, they load without any problems.
Most other websites load correctly from all machines
on my network.
Searching Google, I found a similar problem posted to
this list a couple years ago in which an MTU setting
and fragmentation were the cause of the strage
behavior
(http://www.monkey.org/openbsd/archive/tech/0211/msg00163.html).
The poster added "scrub out all no-df max-mss 1452" to
his pf configuration and that fixed his problem.
As recommended in the pppoe(4) man page, I set the MSS
for the pppoe interface to 1440. I played around with
different MSS's and scrubbing out the DF bit, but my
problem remains. Does anyone know what is causing this
strange problem and how to fix it?
My pf.conf (without queueing rules and bloat) looks
like this:
-------------------------------------------------------
ppp = "pppoe0"
table <internal> { 172.16.0.0/22 }
scrub random-id
scrub fragment reassemble
scrub reassemble tcp
scrub out on $ppp max-mss 1440
nat pass on $ppp from <internal> to !<internal> ->
($ppp)
# allow connection to ssh & apache from the outside
pass quick on $ppp proto tcp from any to ($ppp) port
{22, 80}
# prevet other tcp connection attempts
block in on $ppp proto tcp from any to ($ppp) flags
S/SA
# don't allow routing of packets to where they
# should not go
block in on $ppp from any to !($ppp)
block out on $ppp from !($ppp) to any
-------------------------------------------------------
Serban Giuroiu
http://javatheory.net
__________________________________
Discover Yahoo!
Get on-the-go sports scores, stock quotes, news and more. Check it out!
http://discover.yahoo.com/mobile.html
I have a similar problem here. I've recently installed 3.7 and from
linux behind nat osnews.com and groups-beta.google.com doesn't work
but from winxp it works ok. Before the upgrade all worked fine.
