[uug] Comcast Woes!

Thu, 11 Jun 2009 00:38:14 -0700 

So, I've had to move from my beloved Broadweave to Comcast. I thought it
would be easy to take my Linux router and just give it a quick update to
DHCP and change iptables to masquerade and move on with life, 30 minutes
tops! Three HOURS later I get it to work! It was the strangest thing, some
web pages would load ok, some partially, so I was very confused as to what
was going on. My hardware router that I had plugged in for a day to make
sure things were working ok, worked fine. I was looking at tcpdump traffic
from every which way and noticed some MTU mismatches. I finally found in the
iptables man pages this section which clears things up for me.

   TCPMSS
       This  target  allows  to alter the MSS value of TCP SYN packets, to
control the maximum size for that connection (usually limiting it to your
outgoing interface’s MTU minus 40
       for IPv4 or 60 for IPv6, respectively).  Of course, it can only be
used in conjunction with -p tcp.  It is only valid in the mangle table.
       This target is used to overcome criminally braindead ISPs or servers
which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" packets.
The symptoms of this  problem
       are that everything works fine from your Linux firewall/router, but
machines behind it can never exchange large packets:
        1) Web browsers connect, then hang with no data received.
        2) Small mail works fine, but large emails hang.
        3) ssh works fine, but scp hangs after initial handshaking.
       Workaround: activate this option and add a rule to your firewall
configuration like:
        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

I hoped that Comcast would not have fit into this category, but the proof is
in the pudding. I don't remember anyone complaining about this so I thought
I'd put it here for posterity's sake, just in case someone else runs into
the same problem.

Robert LeBlanc

--------------------
BYU Unix Users Group 
http://uug.byu.edu/ 

The opinions expressed in this message are the responsibility of their
author.  They are not endorsed by BYU, the BYU CS Department or BYU-UUG. 
___________________________________________________________________
List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list

Reply via email to