ipfw + natd => some sites won't work :-S
Frank de Bot
freebsd at searchy.nl
Mon May 9 16:04:45 PDT 2005
Emanuel Strobl wrote:
> Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot:
>
>>Hi,
>>
>>I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like
>>Google for instance does work, but many other don't. All other protocols
>
>
> I guess you're using an A-DSL line with PPPoE, right?
> If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the
> maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't
> know the machine behind the NAT box. Your NAT box has to alter the mss
> field in the TCP header because many sites have wrong configured firewalls
> which simply block all ICMP traffic, so the error from your router "must
> fragment" never reaches to originating host. So the sent packaet is too
> big to go over your line and the "Must Fragment" bit is ingnored... you'll
> never receive what you've requested.
>
> I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with
> "max-mss".
>
I'm not using an ADSL with PPPoE. But the configuration used is kinda
non-standard. I'll try to explain with a little drawing:
= Laptop = IP: 10.0.5.21 (/24)
|
|
= Server 1 = IP: 10.0.5.2
| IP: 10.0.3.1
|
| (ipip tunnel)
|
= Server 2 = IP: 10.0.3.2
| IP %external_ip%
|
% internet %
Server 1 is a Linux box
Server 2 is the FreeBSD performing the NAT
Tracerouting occures without anyproblem. From the laptop to the internet
10.0.5.2 -> 10.0.3.2 -> %internet%
During testing I've also dumped the whole firewall exept the points
written in the starting post. The behaviour stays exactly the same.
> -Harry
>
>
>>seems to be working properly. But why are sites failing to do anything?
>>I got running natd with the verbose option and successfull request of
>>google is indentical to a random other site :S
>>The firewall I use is rather big. the most important piece is:
>>
>>01200 723 652298 divert 8668 ip from any to 82.94.238.70 via fxp0
>>01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any
>>01200 0 0 allow ip from any to 10.0.5.0/24
>>01201 524 85399 allow ip from 82.94.238.70 to any
>>01201 3 144 allow ip from any to 82.94.238.70
>>01500 871494 216106437 allow tcp from any to any established
>>
>>
>>/etc/natd.conf is:
>>
>>alias_address %external_ip%
>>verbose
>>
>>
>>It just puzzles me why only some http request would fail and everything
>>works fine!
>>Anyone got any idea?
>>
>>
>>Thanks in advanced,
>>
>>Frank de Bot
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to
>>"freebsd-questions-unsubscribe at freebsd.org
>
> "
More information about the freebsd-questions
mailing list