Geez don't get testie, I email SLUG CAUSE I NEEDED HELP.. far out... 1) I'm not blocking ICMP at all 2) I didn't know about PMTU. That's the kinda thing i needed to know (ta) Crossfire <[EMAIL PROTECTED]> on 11/04/2001 11:51:00 AM To: Stephen Dennis/NSW/QBE/AU@QBE cc: [EMAIL PROTECTED] Subject: Re: [SLUG] Packet Fragmenting and IP_MASQ... [EMAIL PROTECTED] was once rumoured to have said: > Hello all, > > I just figured out why my router wouldn't work. The MTU of the external > interface was 1472 (i set that) and I read the thing about IP_masq code not > liking non-fragmented packets.. So just a quick couple of questions.. Uh? > 1) Isn't it faster if it doens't have to fragment the packet?? as 1472 is the > MTU of the next hop out to the net. Yes, this is what PMTU discovery is about. In fact, I'll be sure to include a bit about PMTU discovery in my talk, and why you don't block all ICMP... ever. > 2) Is it possible to use IP_MASQ without fragmenting packets?? maybe > I should use 2.4 with netfilter as opposed to 2.2.16 with ipchains > (current setup)? *grah*. Learn how IP works. Then ask stupid questions. > 3) Any tips for increasing performance on net (2x eepro 10/100 > NIC's) apart from TOS mangling via ipchains? and MTU matching? If you've got performance problems, its probably because you're doing bad things to your IP network, like blocking ICMP religously. TOS mangling won't help unless you're doing QoS queueing. If you need MTU matching, then you've broken PMTU discovery by doing something stupid... like blocking ICMP. OK, now before I do go further off the deep end, let me explain this: IP packets have a DF (Don't Fragment) flag. These are usually set on by default so PMTU discovery can be employed which is easier on the routers (since they don't need to fragment the packets), but requires a clear path for ICMP packets back to your host so when your packet proves to be too large for an MTU along the path, the error message makes it back so your stack can adjust When employing NAT, packets HAVE to be defragmented before they can be relayed from the real world into the NAT again. This is as fragmented packets won't contain destination and source port numbers which are required in order to route the packet to their propper destination. (Remember, IP does the fragmenting, not UDP or TCP - and only UDP and TCP contain the port numbers, so the first fragment should contain this information, but subsequent fragments wont). Got it? Good. C. -- --==============================================-- Crossfire | This email was brought to you [EMAIL PROTECTED] | on 100% Recycled Electrons --==============================================-- -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug