ipfw + natd => some sites won't work :-S

Frank de Bot freebsd at searchy.nl
Mon May 9 16:04:45 PDT 2005


Emanuel Strobl wrote:
> Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot:
> 
>>Hi,
>>
>>I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like
>>Google for instance does work, but many other don't. All other protocols
> 
> 
> I guess you're using an A-DSL line with PPPoE, right?
> If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the 
> maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't 
> know the machine behind the NAT box. Your NAT box has to alter the mss 
> field in the TCP header because many sites have wrong configured firewalls 
> which simply block all ICMP traffic, so the error from your router "must 
> fragment" never reaches to originating host. So the sent packaet is too 
> big to go over your line and the "Must Fragment" bit is ingnored... you'll 
> never receive what you've requested.
> 
> I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with 
> "max-mss".
> 


I'm not using an ADSL with PPPoE. But the configuration used is kinda 
non-standard. I'll try to explain with a little drawing:


= Laptop = IP: 10.0.5.21   (/24)
     |
     |
= Server 1 = IP: 10.0.5.2
     |        IP: 10.0.3.1
     |
     |  (ipip tunnel)
     |
= Server 2 = IP: 10.0.3.2
     |        IP %external_ip%
     |
% internet %

Server 1 is a Linux box
Server 2 is the FreeBSD performing the NAT

Tracerouting occures without anyproblem. From the laptop to the internet
10.0.5.2 -> 10.0.3.2 -> %internet%


During testing I've also dumped the whole firewall exept the points 
written in the starting post. The behaviour stays exactly the same.


> -Harry
> 
> 
>>seems to be working properly. But why are sites failing to do anything?
>>I got running natd with the verbose option and successfull request of
>>google is indentical to a random other site :S
>>The firewall I use is rather big. the most important piece is:
>>
>>01200     723    652298 divert 8668 ip from any to 82.94.238.70 via fxp0
>>01200     521     85279 divert 8668 ip from 10.0.5.0/24 to any
>>01200       0         0 allow ip from any to 10.0.5.0/24
>>01201     524     85399 allow ip from 82.94.238.70 to any
>>01201       3       144 allow ip from any to 82.94.238.70
>>01500  871494 216106437 allow tcp from any to any established
>>
>>
>>/etc/natd.conf is:
>>
>>alias_address %external_ip%
>>verbose
>>
>>
>>It just puzzles me why only some http request would fail and everything
>>works fine!
>>Anyone got any idea?
>>
>>
>>Thanks in advanced,
>>
>>Frank de Bot
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to
>>"freebsd-questions-unsubscribe at freebsd.org
> 
> "



More information about the freebsd-questions mailing list