Router on 6.0-stable fails to route tcp packets due to NAT??
glebius at FreeBSD.org
Mon Dec 26 16:29:40 PST 2005
On Mon, Dec 26, 2005 at 05:56:31PM +0200, Oleg Tarasov wrote:
O> Further analysis brought me to a conclusion that the problem is in MTU
O> values. Changing MTU on client machines made everything work fine -
O> but as I know this is not right. If packets are routed between
O> different MTU interfaces they have to be fragmented or something. If
O> fragmentation is impossible due to "dont fragment" bit set an icmp
O> packet "Need Fragmentation" should be sent to packet sender.
O> As I know web and ftp packets dont have "dont fragment" bit set so
O> packet fragmentation should apply normally what doesn't happen.
O> Reading my firewall configuration we can see that any icmp packets can
O> go freely through it so the reason of such malfunction is unknown to
O> me. Also there are rules that allow passing of fragmented packets
O> freely. Anyway the firewall configuration was copied from another
O> production system which also has different MTU's on interfaces.
O> Can anyone tell me what is the problem?
The problem is that you've got a PPPoE link between local net and internet.
(internet cloud, MTU 1500)-(your ISP)-[mtu 1492]-(your server)-[mtu 1500]-(your
So, when your Windows create a new outgoing connection they set TCP MSS
value to 1460, since they don't know about a 1492 MTU link on the way.
And this link limits TCP MSS to 1452.
There are numerous solutions to fix this:
1) ports/net/tcpmssd - a divert daemon, like natd. You need to divert
traffic thru it, and it will alter the TCP MSS value to set limit.
2) ng_tcpmss(4) - a netgraph node, implementing same code in kernel.
You usually need ng_ipfw(4) to divert traffic via ng_tcpmss(4)
3) Recently I have committed ng_tcpmss support into mpd, but this
code is not yet included into any new release. If you are brave,
you can checkout mpd from CVS and use it. It will configure ng_tcpmss
Totus tuus, Glebius.
More information about the freebsd-net