Re: [Samba] Samba over bridged ethernet VPN
On Tuesday 30 September 2008 18:07:25 Daniel Bye wrote: > Thanks for your reply, Wes. > ... > As for the routing between sites, if I understand correctly what you're > asking, then it's simply a small LAN in the office attached via a commodity > ADSL modem, with Samba and OpenVPN running on the same host. OpenVPN is > running in bridged Ethernet mode, and assigns IP addresses to connecting > clients. Therefore, effectively there is no routing between sites, as far > as our CIFS/SMB clients are concerned. However, the physical routing is > essentially as you'd expect - the office is on a standard domestic grade > ADSL link, as are two of the remote users. The other remote users and I > are connected over cable, and all are subject to our upstream providers' > routing policies. > > I'm going to try fiddling with the MTU/fragment/mssfix settings in my > OpenVPN configs, and see how we get on. If you're using Linux routers, a good diag tool is "iperf", which has a maximum MTU discovery mode. The problem (apparently) comes in because fragmenting OpenVPN packets is Bad. So if you set no-fragment then large packets just get dropped, which is also Bad. It can also come from an interface or router in the middle that's broken somehow. In my case, I had a PCI T1 interface that wasn't reporting the correct MTU for path discovery. It was reporting 1500 as standard but it actually cut off somewhere around 1480; I think the driver implementation was broken. Normally it wouldn't be an issue, but since OVPN can't be fragmented it became a problem. Regardless, I hard-set the MTU on the ethernet devices (both ends) to 1400 and that fixed the transport issue. In theory, you can do the same in the OVPN config (such that it pre-fragments, basically) but it didn't work as well for me. Good luck! Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba over bridged ethernet VPN
Thanks for your reply, Wes. On Mon, Sep 29, 2008 at 04:45:38PM -0400, Wes Deviers wrote: > I've had problems similar to this with OpenVPN when path MTU discovery was > broken. In theory it should never break, but there have been a few times > when I've had to tweak it by hand. The general theory, if you're unfamiliar, > is that different networking media have different Maximum Transmission Units > (MTU) which is the largest size an L2 chunk can be and still be transported. > In Ethernet, it's typically 1500 bytes (+ some overhead, the actual max is > 1514). It did occur to me, after I'd posted, that this may be part of the explanation. > Your OVPN link is probably using 1500 as well. But OpenVPN wraps some header > information around the Ethernet frame to deliver it correctly; what can happen > is that the payload size can be larger that 1500 on the VPN link, forcing the > entire frame to be dropped. Indeed, I am using the default MTU of 1500. > A quick way to diagnose this..if you ssh and do commands with minimal output, > it will work fine. If you do a huge directory listing, it will spaz and die > (because you go from small to large packets). > > Have you seen anything like that? Can you give us a quick breakdown of how > the routing looks between sites? Well, a long directory listing doesn't actually cause terminal death (as it were), but it does stutter somewhat... As for the routing between sites, if I understand correctly what you're asking, then it's simply a small LAN in the office attached via a commodity ADSL modem, with Samba and OpenVPN running on the same host. OpenVPN is running in bridged Ethernet mode, and assigns IP addresses to connecting clients. Therefore, effectively there is no routing between sites, as far as our CIFS/SMB clients are concerned. However, the physical routing is essentially as you'd expect - the office is on a standard domestic grade ADSL link, as are two of the remote users. The other remote users and I are connected over cable, and all are subject to our upstream providers' routing policies. I'm going to try fiddling with the MTU/fragment/mssfix settings in my OpenVPN configs, and see how we get on. Thanks again, your help is appreciated. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpNS1Q59VWbv.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba over bridged ethernet VPN
On Monday 29 September 2008 12:33:33 Daniel Bye wrote: > Hi all, > > I have Samba 3.0.32 on FreeBSD-7-RELEASE, set up to act as a very simple > workgroup file server (i.e., no domain or anything fancy like that). It > is the latest version of Samba available in ports. > > I am seeing timeouts and connection reset errors in my per-client logs such > as the following. For clients on the local LAN, the errors don't cause any > real problems. However, for remote clients connected over OpenVPN in > bridged Ethernet mode over cheap domestic ADSL lines, they result in the > clients being unable to open or otherwise manipulate files on the server. SNIP > > This client machine is running WinXP Pro, but we are seeing the same for > WinXP Home, Vista HP, FreeBSD and Linux-based clients. I have found several > references to the same problem in numerous mailing list archives and bug > reports around the web, but none of them seems to have a definite fix. > Anyone know of anything I can try here? > > Thanks for any help or insights you can offer... > > Dan Dan, I've had problems similar to this with OpenVPN when path MTU discovery was broken. In theory it should never break, but there have been a few times when I've had to tweak it by hand. The general theory, if you're unfamiliar, is that different networking media have different Maximum Transmission Units (MTU) which is the largest size an L2 chunk can be and still be transported. In Ethernet, it's typically 1500 bytes (+ some overhead, the actual max is 1514). Your OVPN link is probably using 1500 as well. But OpenVPN wraps some header information around the Ethernet frame to deliver it correctly; what can happen is that the payload size can be larger that 1500 on the VPN link, forcing the entire frame to be dropped. A quick way to diagnose this..if you ssh and do commands with minimal output, it will work fine. If you do a huge directory listing, it will spaz and die (because you go from small to large packets). Have you seen anything like that? Can you give us a quick breakdown of how the routing looks between sites? Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba over bridged ethernet VPN
Hi all, I have Samba 3.0.32 on FreeBSD-7-RELEASE, set up to act as a very simple workgroup file server (i.e., no domain or anything fancy like that). It is the latest version of Samba available in ports. I am seeing timeouts and connection reset errors in my per-client logs such as the following. For clients on the local LAN, the errors don't cause any real problems. However, for remote clients connected over OpenVPN in bridged Ethernet mode over cheap domestic ADSL lines, they result in the clients being unable to open or otherwise manipulate files on the server. [2008/09/26 16:39:36, 0] lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 10.0.0.201. Error = Connection r reset by peer [2008/09/26 16:39:36, 0] lib/util_sock.c:write_data(562) write_data: write failure in writing to client 10.0.0.201. Error Broken pipe [2008/09/26 16:39:36, 0] lib/util_sock.c:send_smb(761) Error writing 75 bytes to client. -1. (Broken pipe) [2008/09/26 16:39:37, 1] smbd/service.c:make_connection_snum(1033) pgchomexp (10.0.0.201) connect to service shared initially as user alison (uid =2527, gid=1500) (pid 73259) [2008/09/26 16:40:45, 0] lib/util_sock.c:write_data(562) write_data: write failure in writing to client 10.0.0.201. Error Broken pipe [2008/09/26 16:40:45, 0] lib/util_sock.c:send_smb(761) Error writing 61503 bytes to client. -1. (Broken pipe) [2008/09/26 16:40:45, 1] smbd/service.c:close_cnum(1230) pgchomexp (10.0.0.201) closed connection to service shared [2008/09/26 16:40:45, 1] smbd/service.c:make_connection_snum(1033) pgchomexp (10.0.0.201) connect to service shared initially as user alison (uid =2527, gid=1500) (pid 74249) [2008/09/26 17:41:06, 0] lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 10.0.0.201. Error = Operation ti med out ...and so on. This client machine is running WinXP Pro, but we are seeing the same for WinXP Home, Vista HP, FreeBSD and Linux-based clients. I have found several references to the same problem in numerous mailing list archives and bug reports around the web, but none of them seems to have a definite fix. Anyone know of anything I can try here? Thanks for any help or insights you can offer... Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpuiHku4MXAW.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
