ipfw + natd => some sites won't work :-S

Emanuel Strobl Emanuel.strobl at gmx.net
Mon May 9 16:11:32 PDT 2005


Am Dienstag, 10. Mai 2005 01:04 schrieb Frank de Bot:
> Emanuel Strobl wrote:
> > Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot:
> >>Hi,
> >>
> >>I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites
> >> like Google for instance does work, but many other don't. All other
> >> protocols
> >
> > I guess you're using an A-DSL line with PPPoE, right?
> > If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the
> > maximum segment sice of TCP sessions is reduced by 8 bytes which
> > doesn't know the machine behind the NAT box. Your NAT box has to alter
> > the mss field in the TCP header because many sites have wrong
> > configured firewalls which simply block all ICMP traffic, so the error
> > from your router "must fragment" never reaches to originating host. So
> > the sent packaet is too big to go over your line and the "Must
> > Fragment" bit is ingnored... you'll never receive what you've
> > requested.
> >
> > I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does
> > with "max-mss".
>
> I'm not using an ADSL with PPPoE. But the configuration used is kinda
> non-standard. I'll try to explain with a little drawing:
>
>
> = Laptop = IP: 10.0.5.21   (/24)
>
>
> = Server 1 = IP: 10.0.5.2
>
>      |        IP: 10.0.3.1
>      |
>      |  (ipip tunnel)
>
> = Server 2 = IP: 10.0.3.2
>
>      |        IP %external_ip%
>
> % internet %
>
> Server 1 is a Linux box
> Server 2 is the FreeBSD performing the NAT
>
> Tracerouting occures without anyproblem. From the laptop to the internet
> 10.0.5.2 -> 10.0.3.2 -> %internet%

The problem is the same: IP-IP tunneling reduces TCPs mss which the linux 
box doesn't fix. ICMP will work of course, TCP with full payload won't.
I don't knwo how/why you tunnle IP into IP on that linux box, but that's 
the point where you have to dig.

Good luck,

-Harry
>
>
> During testing I've also dumped the whole firewall exept the points
> written in the starting post. The behaviour stays exactly the same.
>
> > -Harry
> >
> >>seems to be working properly. But why are sites failing to do
> >> anything? I got running natd with the verbose option and successfull
> >> request of google is indentical to a random other site :S
> >>The firewall I use is rather big. the most important piece is:
> >>
> >>01200     723    652298 divert 8668 ip from any to 82.94.238.70 via
> >> fxp0 01200     521     85279 divert 8668 ip from 10.0.5.0/24 to any
> >> 01200       0         0 allow ip from any to 10.0.5.0/24
> >>01201     524     85399 allow ip from 82.94.238.70 to any
> >>01201       3       144 allow ip from any to 82.94.238.70
> >>01500  871494 216106437 allow tcp from any to any established
> >>
> >>
> >>/etc/natd.conf is:
> >>
> >>alias_address %external_ip%
> >>verbose
> >>
> >>
> >>It just puzzles me why only some http request would fail and
> >> everything works fine!
> >>Anyone got any idea?
> >>
> >>
> >>Thanks in advanced,
> >>
> >>Frank de Bot
> >>_______________________________________________
> >>freebsd-questions at freebsd.org mailing list
> >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >>To unsubscribe, send any mail to
> >>"freebsd-questions-unsubscribe at freebsd.org
> >
> > "
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050510/886e6a53/attachment.bin


More information about the freebsd-questions mailing list