LARTC - Sep 2001 - Firewall+NAT: only succeeds for SOME external sites??

Hi,

I have a very simple 2-box network, both running Linux
2.4.7, and connected to the Internet using DSL (pppd
2.4.1 + pppoe). The first box acts as a gateway + NAT
for the second box, and the boxes are connected via a
crossover ethernet cable.

Now I *can* connect to the Internet from the second
box. However, there are some sites that I can only
access from the gateway and I''m running out of ideas
on how to solve this.

Sites that work for BOTH boxes include:
http://news.bbc.co.uk
http://freshmeat.net
http://lwn.net

Sites that work for ONLY the gateway box include:
http://linuxtoday.com
http://setiathome.ssl.berkeley.edu

Also, I can receive Real streams from news.bbc.co.uk
on either machine, but can only receive Real streams
from http://lordoftherings.net on the gateway!

Can anyone suggest anything, please? I have ensured
that the second machine has ip_forward=0 and
*/rp_filter=0, but I can''t think of anything else that
might cause it to drop/lose packets. It''s routing
table is trivial (from memory):

$ route add 192.168.0.0 netmask 255.255.255.0
192.168.0.1
$ route add default gw 192.168.0.1

where 192.168.0.1 is the gateway, of course, and this
machine has address 192.168.0.2.

Any help here would be greatly appreciated,
Cheers,
Chris



__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

On Friday 21 September 2001 00:24, Chris Rankin wrote:
> Hi,
>
> I have a very simple 2-box network, both running Linux
> 2.4.7, and connected to the Internet using DSL (pppd
> 2.4.1 + pppoe). The first box acts as a gateway + NAT
> for the second box, and the boxes are connected via a
> crossover ethernet cable.
>
> Now I *can* connect to the Internet from the second
> box. However, there are some sites that I can only
> access from the gateway and I''m running out of ideas
> on how to solve this.
Maybe you enabled ecn in the kernel.  Somehere in the /proc tree there is a 
file with ecn in it.  When you find it, you have enabled ecn.  You can 
disable it by doing ''echo 1 > /proc/<file that you
find>''

Stef



-- 

stef.coene@docum.org        stef.coene@belgacom.net
More QOS info : http://docum.org/
Title : "Using Linux as bandwidth manager"

Hi,
Yes, the problem turned out to be the MTU on the link
between the boxes. My new routing table on the second
machine looks like this, and is a complete success:

# ip route list
192.168.0.0/24 dev eth0  scope link 
127.0.0.0/8 dev lo  scope link 
default via 192.168.0.1 dev eth0  advmss 1452

Cheers,
Chris

--- Henry Yen <lartc-mail@AegisInfoSys.com> wrote:
> On Thu, Sep 20, 2001 at 03:24:19AM -0700, Chris
> Rankin wrote:
> > I have a very simple 2-box network, both running
> Linux
> > 2.4.7, and connected to the Internet using DSL
> (pppd
> > 2.4.1 + pppoe). The first box acts as a gateway +
> NAT
> > for the second box, and the boxes are connected
> via a
> > crossover ethernet cable.
> > 
> > Now I *can* connect to the Internet from the
> second
> > box. However, there are some sites that I can only
> > access from the gateway and I''m running out of
> ideas
> > on how to solve this.
> > 
> > Sites that work for BOTH boxes include:
> > http://news.bbc.co.uk
> > http://freshmeat.net
> > http://lwn.net
> > 
> > Sites that work for ONLY the gateway box include:
> > http://linuxtoday.com
> > http://setiathome.ssl.berkeley.edu
> 
> a more efficient setup for web surfing might be to
> run squid proxy on
> the gateway box, and point to it as proxy from the
> second box.
> 
> > Also, I can receive Real streams from
> news.bbc.co.uk
> > on either machine, but can only receive Real
> streams
> > from http://lordoftherings.net on the gateway!
> > 
> > Can anyone suggest anything, please? I have
> ensured
> > that the second machine has ip_forward=0 and
> > */rp_filter=0, but I can''t think of anything else
> that
> > might cause it to drop/lose packets. It''s routing
> > table is trivial (from memory):
> > 
> > $ route add 192.168.0.0 netmask 255.255.255.0
> > 192.168.0.1
> > $ route add default gw 192.168.0.1
> > 
> > where 192.168.0.1 is the gateway, of course, and
> this
> > machine has address 192.168.0.2.
> 
> MTU path discovery problem?  ECN issue (are both
> boxes running the
> exact same distro/kernel level)?
> 
> for the former, try "mtu path discovery broken
> pppoe".
> for the latter, try "ecn linux break".
> both on groups.google.com.
> 
> also, try out tcpdump (with options) to spy on
> what''s going on between the
> machines.
> -- 
> Henry Yen <henry@AegisInfoSys.com>             
> Aegis Information Systems, Inc.
> Senior Systems Programmer                      
> Hicksville, New York

__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

i use pppoe and nat too. I have problems with 2 sites (63.238.77.237 and 
195.101.41.250) only when i change the mru option (rp-pppoe), not the 
mtu. And problem are only for box behind the gateway, directly from the 
gateway i have no problem.
seem a masq + mru bug. (don''t ask me what is mru, i didn''t
have found
something on it)

maybe you change mru with rp-pppoe too.

seb


Chris Rankin wrote:
>Hi,
>Yes, the problem turned out to be the MTU on the link
>between the boxes. My new routing table on the second
>machine looks like this, and is a complete success:
>
># ip route list
>192.168.0.0/24 dev eth0  scope link 
>127.0.0.0/8 dev lo  scope link 
>default via 192.168.0.1 dev eth0  advmss 1452
>
>Cheers,
>Chris
>
>--- Henry Yen <lartc-mail@AegisInfoSys.com> wrote:
>
>>On Thu, Sep 20, 2001 at 03:24:19AM -0700, Chris
>>Rankin wrote:
>>
>>>I have a very simple 2-box network, both running
>>>
>>Linux
>>
>>>2.4.7, and connected to the Internet using DSL
>>>
>>(pppd
>>
>>>2.4.1 + pppoe). The first box acts as a gateway +
>>>
>>NAT
>>
>>>for the second box, and the boxes are connected
>>>
>>via a
>>
>>>crossover ethernet cable.
>>>
>>>Now I *can* connect to the Internet from the
>>>
>>second
>>
>>>box. However, there are some sites that I can only
>>>access from the gateway and I''m running out of
>>>
>>ideas
>>
>>>on how to solve this.
>>>

On Fri, Sep 21, 2001 at 11:43:10AM +0200, sebastien Robart
wrote:
> i use pppoe and nat too. I have problems with 2 sites (63.238.77.237 and 
> 195.101.41.250) only when i change the mru option (rp-pppoe), not the 
> mtu. And problem are only for box behind the gateway, directly from the 
> gateway i have no problem.
> seem a masq + mru bug. (don''t ask me what is mru, i
didn''t have found
> something on it)
When using pppoe with masquerading, or any networking at all, use MSS
Clamping, either in the pppoe-daemon or in iptables itself. This solves a
lot or problems with path MTU discovery.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
Trilab                                 The Technology People
Netherlabs BV / Rent-a-Nerd.nl           - Nerd Available -
''SYN! .. SYN|ACK! .. ACK!'' - the mating call of the internet

With rp-pppoe, mss clamping doesn''t seem working. I have same problem 
with the 2 sites.

With iptables, i have add the tcpmss target and add a rule as indicate 
in kernel doc
"iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu"
and it work perfectly now. I can change mtu and mru (still don''t know 
what is mru) without problem.

thx

seb


bert hubert wrote:
>On Fri, Sep 21, 2001 at 11:43:10AM +0200, sebastien Robart wrote:
>
>>i use pppoe and nat too. I have problems with 2 sites (63.238.77.237 and
>>195.101.41.250) only when i change the mru option (rp-pppoe), not the 
>>mtu. And problem are only for box behind the gateway, directly from the 
>>gateway i have no problem.
>>seem a masq + mru bug. (don''t ask me what is mru, i
didn''t have found
>>something on it)
>>
>
>When using pppoe with masquerading, or any networking at all, use MSS
>Clamping, either in the pppoe-daemon or in iptables itself. This solves a
>lot or problems with path MTU discovery.
>
>Regards,
>
>bert
>