Re: Erratic NAT behaviour
Stuart Henderson wrote: On 2008-10-09, gm_sjo [EMAIL PROTECTED] wrote: - Client appears to be able to connect to any internet host on port 80, and a 'GET /' works (albeit often to a http 1.1 error as you'd expect) - Only a couple of the website i've tried actually render in a browser, google does for example. - I can grab small text files (1KB) from a site, but larger ones don't work. Looks like size is relevant. man 4 pppoe, near the bottom. - Connection works fine from the firewall itself, can grab anything from anywhere with no issue (does this rule out MTU issues on the WAN link?) it's the advertised MSS that's relevant, this is normally determined by the *LAN* host's MTU. see above reference. Stuart, I've seen something just like that. I didn't dive into the connection details, but: a) Linux machines were browsing just fine and b) WindozeXP weren't rendering, symptoms just as you described. My machine was directly connected to an ADSL router (no pppoe running on the OBSD box). Also, I was trying to set up two VLANs on the Internet side, and the idea was to use a single (VLAN supporting) switch--both for the private and for the public side. Morale: after spending all of the weekend and playing around with MTUs on all the OBSD interfaces, monday morning the customer confirmed that they couldn't browse anything. So I just ripped apart the whole VLAN thing and back to separate switches/interfaces. Immediately, everything was fine. Sorry I can't be of more help, I was out of ideas and out of time. Still, I believe it wasn't MTU. ---Vic
Re: Erratic NAT behaviour
On 2008-10-09, gm_sjo [EMAIL PROTECTED] wrote: - Client appears to be able to connect to any internet host on port 80, and a 'GET /' works (albeit often to a http 1.1 error as you'd expect) - Only a couple of the website i've tried actually render in a browser, google does for example. - I can grab small text files (1KB) from a site, but larger ones don't work. Looks like size is relevant. man 4 pppoe, near the bottom. - Connection works fine from the firewall itself, can grab anything from anywhere with no issue (does this rule out MTU issues on the WAN link?) it's the advertised MSS that's relevant, this is normally determined by the *LAN* host's MTU. see above reference.
Erratic NAT behaviour
Hi all, I am testing my new OpenBSD router in a simple NAT configuration but I am getting some strange results. The client machine is a Windows XP laptop and the behaviour is that only a handful of websites render (google, for example), 99% that i've tried do not. FTP appears to be working fine. It doesn't appear to be a local client configuration issue as when I point to an alternate NAT gateway, there are no problems. Here is my configuration :- -bash-3.2# ifconfig -A (stripped slightly) pppoe1: flags=8851UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST mtu 1492 dev: fxp2 state: session sid: 0x6 PADI retries: 0 PADR retries: 0 time: 12:00:53 sppp: phase network authproto chap authname x groups: pppoe egress inet6 fe80::204:23ff:fecb:1cde%pppoe1 - prefixlen 64 scopeid 0x9 inet 90.155.88.39 -- 81.187.81.72 netmask 0x fxp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:13:fc:0d media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::202:b3ff:fe13:fc0d%fxp2 prefixlen 64 scopeid 0x5 em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:cb:1c:de trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::204:23ff:fecb:1cde%em0 prefixlen 64 scopeid 0x1 em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:cb:1c:de trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::204:23ff:fecb:1c7d%em1 prefixlen 64 scopeid 0x2 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:cb:1c:de trunk: trunkproto loadbalance trunkport em1 active trunkport em0 master,active groups: trunk media: Ethernet autoselect status: active inet6 fe80::204:23ff:fecb:1cde%trunk0 prefixlen 64 scopeid 0xb vlan1020: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:cb:1c:de vlan: 1020 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::204:23ff:fecb:1cde%vlan1020 prefixlen 64 scopeid 0xe inet 192.168.20.1 netmask 0xff00 broadcast 192.168.20.255 -bash-3.2# route show -inet (stripped) Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface defaultcareless.aaisp.net UGS 1 8539 - pppoe1 0.0.0.1defaultUH 00 - pppoe0 careless.aaisp.net 90.155.88.39 UH 12 - pppoe1 (pppoe0 is not currently in-use) -bash-3.2# cat /etc/pf.conf nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* nat on pppoe1 from vlan1020:network to any - (pppoe1) rdr pass on vlan1020 proto tcp from any to any port ftp - 127.0.0.1 port 8021 anchor ftp-proxy/* Scenario:- - Windows client sitting on a 802.1q tagged network. - Vlan ID is 1020 and is set to be the default vlan on the switch port its attached to. - Default gw on client is 192.168.10.1 - trunk0 on firewall is configured as a trunk on the switch (em0/em1), albeit not 802.3ad (not sure on standard) - Client can ping any host on the internet - Client appears to be able to connect to any internet host on port 80, and a 'GET /' works (albeit often to a http 1.1 error as you'd expect) - Only a couple of the website i've tried actually render in a browser, google does for example. - I can grab small text files (1KB) from a site, but larger ones don't work. Looks like size is relevant. - Connection works fine from the firewall itself, can grab anything from anywhere with no issue (does this rule out MTU issues on the WAN link?) I don't have any tcpdump or debug data handy where I am at the moment, but can obtain some later today upon request. Any thoughts on how I can debug this? Any more info I can provide to help? Thanks in advance!
Re: Erratic NAT behaviour
man 4 pppoe - you're missing part of the pf.conf file: MTU/MSS ISSUES Problems can arise on machines with private IPs connecting to the Inter- net via a machine running both Network Address Translation (NAT) and pppoe. Standard Ethernet uses a Maximum Transmission Unit (MTU) of 1500 bytes, whereas PPPoE mechanisms need a further 8 bytes of overhead. This leaves a maximum MTU of 1492. pppoe sets the MTU on its interface to 1492 as a matter of course. However, machines connecting on a private LAN will still have their MTUs set to 1500, causing conflict. While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other meth- ods. Using a packet filter, the Maximum Segment Size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: scrub out on pppoe0 max-mss 1440 Although in theory the maximum MSS over a PPPoE interface is 1452 bytes, 1440 appears to be a safer bet. Note that setting the MSS this way can have undesirable effects, such as interfering with the OS detection fea- tures of pf(4). On Thu, 9 Oct 2008 10:11:38 +0100, gm_sjo [EMAIL PROTECTED] wrote: Hi all, I am testing my new OpenBSD router in a simple NAT configuration but I am getting some strange results. The client machine is a Windows XP laptop and the behaviour is that only a handful of websites render (google, for example), 99% that i've tried do not. FTP appears to be working fine. It doesn't appear to be a local client configuration issue as when I point to an alternate NAT gateway, there are no problems. Here is my configuration :- -bash-3.2# ifconfig -A (stripped slightly) pppoe1: flags=8851UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST mtu 1492 dev: fxp2 state: session sid: 0x6 PADI retries: 0 PADR retries: 0 time: 12:00:53 sppp: phase network authproto chap authname x groups: pppoe egress inet6 fe80::204:23ff:fecb:1cde%pppoe1 - prefixlen 64 scopeid 0x9 inet 90.155.88.39 -- 81.187.81.72 netmask 0x fxp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:13:fc:0d media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::202:b3ff:fe13:fc0d%fxp2 prefixlen 64 scopeid 0x5 em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:cb:1c:de trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::204:23ff:fecb:1cde%em0 prefixlen 64 scopeid 0x1 em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:cb:1c:de trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::204:23ff:fecb:1c7d%em1 prefixlen 64 scopeid 0x2 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:cb:1c:de trunk: trunkproto loadbalance trunkport em1 active trunkport em0 master,active groups: trunk media: Ethernet autoselect status: active inet6 fe80::204:23ff:fecb:1cde%trunk0 prefixlen 64 scopeid 0xb vlan1020: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:cb:1c:de vlan: 1020 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::204:23ff:fecb:1cde%vlan1020 prefixlen 64 scopeid 0xe inet 192.168.20.1 netmask 0xff00 broadcast 192.168.20.255 -bash-3.2# route show -inet (stripped) Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface defaultcareless.aaisp.net UGS 1 8539 - pppoe1 0.0.0.1defaultUH 00 - pppoe0 careless.aaisp.net 90.155.88.39 UH 12 - pppoe1 (pppoe0 is not currently in-use) -bash-3.2# cat /etc/pf.conf nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* nat on pppoe1 from vlan1020:network to any - (pppoe1) rdr pass on vlan1020 proto tcp from any to any port ftp - 127.0.0.1 port 8021 anchor ftp-proxy/* Scenario:- - Windows client sitting on a 802.1q tagged network. - Vlan ID is 1020 and is set to be the default vlan on the switch port its attached to. - Default gw on client is 192.168.10.1 - trunk0 on firewall is configured as a trunk on the switch (em0/em1), albeit not 802.3ad (not sure on standard) - Client can ping any host on the internet - Client appears to be able to connect to any internet host on port 80, and a 'GET /' works (albeit often to a http 1.1 error as you'd expect) - Only a couple of the website i've tried actually render in a browser,
Re: Erratic NAT behaviour
Thanks all - reducing the MTU as above did fix the issue.
