On Tue, 10 Dec 2019 09:26:46 +
Nektarios Katakis wrote:
> On Tue, 10 Dec 2019 07:22:05 +0100
> Pascal Hambourg wrote:
>
> > Le 10/12/2019 à 00:01, Nektarios Katakis a écrit :
> > >
> > > I am running an iptables firewall on an openwrt router I ve got.
> > > Which acts as Firewall/gateway and performs NATing for my internal
> > > network - debian PCs and android phones.
> > >
> > > All good but specific web sites are not loading for the machines
> > > that are sitting behind the home router.
> > >
> > > When attempting on the browser (firefox but tried different ones)
> > > the browser stays at `Performing a TLS handshake to
> > > bitbucket.org`. wget has similar results:
> > > ```
> > > wget https://bitbucket.org
> > > --2019-12-09 22:07:32-- https://bitbucket.org/
> > > Resolving bitbucket.org (bitbucket.org)... 18.205.93.0,
> > > 18.205.93.1, 18.205.93.2, ... Connecting to bitbucket.org
> > > (bitbucket.org)|18.205.93.0|:443... connected.
> > > ```
> > > When doing a tcpdump on the router side I can see some initial TCP
> > > session establishment and then nothing:
> > (...)
> > > Of course doing a wget from the router itself works fine as it
> > > also works fine on my desktop if I do dynamic port-forwarding
> > > with eg. `ssh -D 1050 router` (and configure of course firefox to
> > > use it).
> >
> > Maybe a "MTU black hole" issue with PPPoE.
> > Workarounds :
> > - lower the MTU on the client side to 1492
> > - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router
> >
>
> Interesting. I m not a network engineer and actually didnt think of
> that. I ll give it a shot and update.
>
> Thanks.
>
The tip you gave me really did the job! I found this page in tldp.org
describing the mtu issue
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html and the I
simply ran the iptables command
```
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
```
and it was fixed!
Thanks again!
---
Nektarios Katakis
