LARTC - Jan 2001 - HTTP only works on second try from doublely NAT'ed windows box

If this is a FAQ, may I be shot on site.

Problem:
-------
Every windows box on my network has to hit refresh once before a web site 
will come up.  It''s as if the first try it doesn''t have any
gateway at all,
but the second try works.  However, ping''s always work flawlessly, so I
assume this is an Internet explorer or TCP/HTTP traffic problem.

Here''s my setup:
---------------
Internet
  |
  |
DSL Router (64.x.x.130 external, and 10.0.0.250 internal)
  |
  |
Linux Box  (10.0.0.251 internal/mapped to external 64.x.x.131 by DSL router 
NAT)
  |
  |
Windows98  (10.0.0.122 internal - NAT''ed to 64.x.x.131 by Linux Box
& DSL
router before reaching Internet)


The Linux Box uses the router as it''s gateway (of course) and I have 
configured the DSL router to use NAT to translate 10.0.0.251 to 
64.x.x.131.  This works fine.

Similarly, I have configured the Windows98 box to use Linux as it''s 
gateway, and Linux uses NAT to translate 10.0.0.122 into  10.0.0.251 - 
which is then translated into 64.x.x.131 before it goes out to the Internet).

If I tell the Windows98 box to use 10.0.0.250 as it''s gateway, then 
everything works perfectly.  Any tips?

And yes, there are reasons why I have it configured this way.  (e.g., there 
are 3 linux servers that each have an internal/external mapping done by the 
dsl router).


Dan Browning, Cyclone Computer Systems, danb@cyclonecomputers.com

On Thu, Jan 11, 2001 at 07:31:57PM -0800, Dan B wrote:
> If this is a FAQ, may I be shot on site.
Well :-)
> Here''s my setup:
> ---------------
> Internet
>   |
>   |
> DSL Router (64.x.x.130 external, and 10.0.0.250 internal)
>   |
>   |
> Linux Box  (10.0.0.251 internal/mapped to external 64.x.x.131 by DSL router
> NAT)
>   |
>   |
> Windows98  (10.0.0.122 internal - NAT''ed to 64.x.x.131 by Linux
Box & DSL
> router before reaching Internet)
Are the DSL Router, the Linux Box and the Windows 98 machines all on a
single subnet, of interface? In that case the Linux box may be sending out
ICMP Redirects. Linux machines might react instantly to those redirects,
Windows only on the second try?

Use the great tool tcpdump of ethereal to find out what is exactly being
sent over the wire.

Regards,

bert hubert

-- 
PowerDNS                     Versatile DNS Services  
Trilab                       The Technology People   
''SYN! .. SYN|ACK! .. ACK!'' - the mating call of the internet

> > Here''s my setup:
> > ---------------
> > Internet
> >   |
> >   |
> > DSL Router (64.x.x.130 external, and 10.0.0.250 internal)
> >   |
> >   |
> > Linux Box  (10.0.0.251 internal/mapped to external 64.x.x.131 by DSL 
> router
> > NAT)
> >   |
> >   |
> > Windows98  (10.0.0.122 internal - NAT''ed to 64.x.x.131 by
Linux Box & DSL
> > router before reaching Internet)
>
>Are the DSL Router, the Linux Box and the Windows 98 machines all on a
>single subnet, of interface? In that case the Linux box may be sending out
>ICMP Redirects. Linux machines might react instantly to those redirects,
>Windows only on the second try?
>
>Use the great tool tcpdump of ethereal to find out what is exactly being
>sent over the wire.
>
>Regards,
>
>bert hubert

It''s been a few weeks for me to think about my problem, and I think I 
finally figured out what you meant by what you said, Bert.  I think my 
problem is the linux box is trying to NAT between two interfaces even 
though they are on the same subnet.  (duh! tcp/ip 101).

So I''m going to try changing the Linux box to
10.0.0.251/255.255.255.248,
and the windows98 box to 10.0.0.122/255.255.255.128, and see if the NAT 
will work correctly after that.

Thanks, again!

-Dan

At 08:00 PM 2/1/2001 -0800, Dan B wrote:
>> > Here''s my setup:
>> > ---------------
>> > Internet
>> >   |
>> >   |
>> > DSL Router (64.x.x.130 external, and 10.0.0.250 internal)
>> >   |
>> >   |
>> > Linux Box  (10.0.0.251 internal/mapped to external 64.x.x.131 by
DSL
>> router
>> > NAT)
>> >   |
>> >   |
>> > Windows98  (10.0.0.122 internal - NAT''ed to 64.x.x.131 by
Linux Box & DSL
>> > router before reaching Internet)
>>
>>Are the DSL Router, the Linux Box and the Windows 98 machines all on a
>>single subnet, of interface? In that case the Linux box may be sending
out
>>ICMP Redirects. Linux machines might react instantly to those redirects,
>>Windows only on the second try?
>>
>>Use the great tool tcpdump of ethereal to find out what is exactly being
>>sent over the wire.
>>
>>Regards,
>>
>>bert hubert
>
>
>It''s been a few weeks for me to think about my problem, and I think
I
>finally figured out what you meant by what you said, Bert.  I think my 
>problem is the linux box is trying to NAT between two interfaces even 
>though they are on the same subnet.  (duh! tcp/ip 101).
>
>So I''m going to try changing the Linux box to
10.0.0.251/255.255.255.248,
>and the windows98 box to 10.0.0.122/255.255.255.128, and see if the NAT 
>will work correctly after that.
That fixed it. :-) (I gotta remember that you can''t NAT / route between
two
computers on the same subnet very well).


Dan Browning, Cyclone Computer Systems, danb@cyclonecomputers.com

On Fri, Feb 09, 2001 at 08:52:56PM -0800, Dan B wrote:
> >So I''m going to try changing the Linux box to
10.0.0.251/255.255.255.248,
> >and the windows98 box to 10.0.0.122/255.255.255.128, and see if the NAT
> >will work correctly after that.
> 
> That fixed it. :-) (I gotta remember that you can''t NAT / route
between two
> computers on the same subnet very well).
You can, I think, but you need to be very sure that your NAT machine
isn''t
sending out any ICMP Redirects.

Regards,

bert

-- 
http://www.PowerDNS.com      Versatile DNS Services  
Trilab                       The Technology People   
''SYN! .. SYN|ACK! .. ACK!'' - the mating call of the internet

On Feb 10 2001, bert hubert wrote:
> You can, I think, but you need to be very sure that your NAT machine
> isn''t sending out any ICMP Redirects.
	I''ve been bitten by these ICMP Redirects once. Is there any
	way to prevent them from being sent out? Perhaps doing some
	packet filtering of the ICMP Redirects? Even if this works,
	this sure sounds like a dirty solution... :-(

	In that occasion, I was trying to set up a masquerading box
	with only one NIC and two IP addresses (the Internet-valid one
	and the private one), hooking everything in a single hub and
	routing accordingly.

	I don''t remember the details (since this was many months ago),
	but the only solution that I could make work was to buy
	another NIC for the masquerading box and put one IP in each
	NIC, doing everything as usual. :-(

	As I don''t remember more details of the situation, I''m just
	hoping that this description rings a bell for someone. Any
	explanation of how to make this setup with just one NIC or
	comments on why this shouldn''t be done are immensely
	appreciated.


	Thanks in advance, Roger...

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  Rogerio
Brito - rbrito@iname.com - http://www.ime.usp.br/~rbrito/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

On Sun, Feb 11, 2001 at 02:36:43AM -0200, Rogerio Brito
wrote:
> 	I''ve been bitten by these ICMP Redirects once. Is there any
> 	way to prevent them from being sent out? Perhaps doing some
Hmmm. I never tried this before, but how about setting these kernel 
variables to 0? (depending on what you want):

/proc/sys/net/ipv4/conf/<if>/accept_redirects
/proc/sys/net/ipv4/conf/<if>/send_redirects

Note that I''m using kernel 2.4. I''m not sure they are
available in 2.2,
though.

Suthep
> 	packet filtering of the ICMP Redirects? Even if this works,
> 	this sure sounds like a dirty solution... :-(
> 
> 	In that occasion, I was trying to set up a masquerading box
> 	with only one NIC and two IP addresses (the Internet-valid one
> 	and the private one), hooking everything in a single hub and
> 	routing accordingly.
> 
> 	I don''t remember the details (since this was many months ago),
> 	but the only solution that I could make work was to buy
> 	another NIC for the masquerading box and put one IP in each
> 	NIC, doing everything as usual. :-(
> 
> 	As I don''t remember more details of the situation, I''m
just
> 	hoping that this description rings a bell for someone. Any
> 	explanation of how to make this setup with just one NIC or
> 	comments on why this shouldn''t be done are immensely
> 	appreciated.
> 
> 
> 	Thanks in advance, Roger...
> 
> -- 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->  
Rogerio Brito - rbrito@iname.com - http://www.ime.usp.br/~rbrito/
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/

On Feb 13 2001, Suthep Vichiendilokkul wrote:
> On Sun, Feb 11, 2001 at 02:36:43AM -0200, Rogerio Brito wrote:
> > 	I''ve been bitten by these ICMP Redirects once. Is there any
> > 	way to prevent them from being sent out? Perhaps doing some
	First of all, I''d like to thank everybody who replied. A
	sincere thanks.
> Hmmm. I never tried this before, but how about setting these kernel
> variables to 0? (depending on what you want):
> 
> /proc/sys/net/ipv4/conf/<if>/accept_redirects
> /proc/sys/net/ipv4/conf/<if>/send_redirects
	Yes, I''m using Linux 2.2.18 and they are available here.


	Thanks again, Roger...

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  Rogerio
Brito - rbrito@iname.com - http://www.ime.usp.br/~rbrito/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

At 02:36 AM 2/11/2001 -0200, Rogerio Brito wrote:
>On Feb 10 2001, bert hubert wrote:
> > You can, I think, but you need to be very sure that your NAT machine
> > isn''t sending out any ICMP Redirects.
>
>         I''ve been bitten by these ICMP Redirects once. Is there
any
>         way to prevent them from being sent out? Perhaps doing some
>         packet filtering of the ICMP Redirects? Even if this works,
>         this sure sounds like a dirty solution... :-(
>
>         In that occasion, I was trying to set up a masquerading box
>         with only one NIC and two IP addresses (the Internet-valid one
>         and the private one), hooking everything in a single hub and
>         routing accordingly.
>
>         I don''t remember the details (since this was many months
ago),
>         but the only solution that I could make work was to buy
>         another NIC for the masquerading box and put one IP in each
>         NIC, doing everything as usual. :-(
>
>         As I don''t remember more details of the situation,
I''m just
>         hoping that this description rings a bell for someone. Any
>         explanation of how to make this setup with just one NIC or
>         comments on why this shouldn''t be done are immensely
>         appreciated.
Even when you correctly aliased your single NIC to act like two interfaces?

eth0:0  routable ip / external (seperate) subnet
eth1:1 local ip / local subnet

I''ve done what you described using aliasing a couple of times and I
never
got bit by ICMP redirects (like I did this last time).

Now I kind of wish I would have fixed the ICMP redirect problem instead of 
just changing subnets.  :-)

Dan Browning, Cyclone Computer Systems, danb@cyclonecomputers.com