search for: clampmss

> Currently, i have nodes with PMTUDiscovery =yes and ClampMSS = yes. Hello, these features were introduced in 1.0.13 correct ?? I also understand that the two settings are by default "yes" if not explictly set to "no" in the config file. what may happen if I have a network with mixed versions from 1.0.11 and 1.0.13, where the older dae...

Clients: Some sites just show the top area not the full page. Some sites cant be reached at all. I think it 90% may be the MTU/MSS problem. But I already have set the shorewall.conf CLAMPMSS=1400 or CLAMPMSS=Yes, but it doest make things good. I would be mad. Anybody helps me would so appreciated! If you want know more info. to diag my problem, I would be please to. Internet<---ADSL(PPPoE)---->Gateway(Gentoo Kernel 2.4)<----100M Switch------>LAN gateway root # cat /et...

Hello, This is not really a shorewall problem. But just wanted to check if this problem rang a bell with any of you. I have a linux router with slackware 9.1, and kernel 2.4.27 Everyting works ok except for access to web sites that use akamai from behind the router. >From the router machine itself I can access those sites without problems. But machines behind nat, take forever to access

...shorewall. My setup is pretty simple: [DSL Modem] -eth0- [shorwall/gateway] -eth1- [local network] ipmasq required that I set the MTU on eth0 to 1492. Migrating to shorewall went well, but a small number of web sites would load slow or not at all. Setting the MTU on eth0 to 1492 and setting CLAMPMSS=Yes made things better but I still have problems. Also tried CLAMPMSS=1452 and 1412. Can someone please help? Thank-you, ---Dan ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creato...

Currently, i have nodes with PMTUDiscovery =yes and ClampMSS = yes. When the server does not receive a PMTU request back from one of the clients even when the packet size is very small (say 164), then it reverts to TCP. Should i turn off PMTUDiscovery or should it be ok to leave on? It takes a very long time to do simple pings (1 second or so), so i wonder w...

...ter, debian, 100mBit port) tinc.conf: Name = TincKnoten12 AddressFamily = ipv4 Interface = tun ProcessPriority=high mode = router #DirectOnly = no Compression=0 PMTUDiscovery = yes #IndirectData = yes #ReplayWindow = 64 #ConnectTo = TincKnoten1 GraphDumpFile = /tmp/tinc-graph LocalDiscovery = yes ClampMSS = yes PMTU = 1400 #DirectOnly=yes #IndirectData=yes Cipher=AES-128-CBC #TCPOnly=yes mac:10.0.0.20 (1gig directly to our backbone via mpls from out office-vlan) Name=TincKnoten20 AddressFamily = ipv4 Device = /dev/tap0 ConnectTo = TincKnoten12 ProcessPriority=high mode = router #DirectOnly = no C...

...at curl and realized the problem is probably not MTU related. I appreciate any thoughts and help. Here are my current configs: Server A Conf: Name = serverA Device = /dev/net/tun Address Family = ipv4 Server A host: Address = xx.xx.xx.xx Subnet = 192.168.0.10 Subnet = 10.75.70.0/24 PMTU = 1436 ClampMSS = yes PMTUDiscovery = yes Server A TincUp: ip link set $INTERFACE up ip addr add 192.168.0.10 dev $INTERFACE ip route add 192.168.0.0/24 dev $INTERFACE ip route add 192.168.1.0/24 dev $INTERFACE Server B Conf: Name = khwisnmp Device = /dev/net/tun Address Family = ipv4 ConnectTo = librenms S...

Am 23.06.2020 09:28, schrieb Marek Greško: Hi > if you need clampmss then it is highly probable there is a PMTU > discovery problem. The clampmss does not work for UDP. Is there a way to check if I have this problem? > I probably counted the size incorrectly. So you are able to ping with > size 1464 and not with 1466. How about trying same ping sizes from...

Hi I have a (bizarre) problem with ssh, which someone has suggested may be down to the MSS value being too high. I know that within Shorewall I can clamp the MSS value to the MTU-40 value, but is there a way I can set MSS to a discreet value? I just want to (dis)prove the MSS theory at the moment (I know it isn''t a real fix). Thanks, Keith

...ut the firewall sends an icmp unreachable need to defrag packet back to the sender, in that case the web site that I was trying to look at. I verified by running a tcpdump outside of fw0 that this icmp message was indeed leaving the firewall and not being dropped there. Now my question. I have set CLAMPMSS to yes thinking that this should solve the problem, but it didn''t. I also setup a transparent squid cache on fw0 and it seems to be a lot better (at least faster) but I can still see some icmp unreachable need to defrag packets. Any idea what else I could try? Thanks in advance Pascal -...

Am 23.06.2020 08:43, schrieb Luca Bertoncello: And another thing, I discovered right now... > Could you suggest me something to restrict the problem? > Currently, I think the problem can be: > > 1) on Asterisk > 2) on my Gateway/Firewall A couple of years ago I added this entry in my firewall: /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS

Try removing all MTU related settings from both sides. Allow tinc to learn on its own. " PMTU = 1436 ClampMSS = yes PMTUDiscovery = yes" in the config, " Address Family = ipv4" is likely not necessary, i would recommend removing it. " Device = /dev/net/tun" should not be used, unless tinc is having issues locating the tun device. however " DeviceType = tun" should be ad...

...packets: # 1) Web browsers connect, then hang with no data received. # 2) Small mail works fine, but large emails hang. # 3) ssh works fine, but scp hangs after initial handshaking. # ] # # If left blank, or set to "No" or "no", the option is not enabled. # CLAMPMSS=Yes As you can see, I''ve activated the option, but to no result watsoever. I''ve checked my kernel config, and it states that CONFIG_IP_NF_TARGET_TCPMSS is a loadable module, that should be loaded on demand. my kernel info (uname -a) on RH 7.3 Linux Hades 2.4.20-30.7.legacy #1 F...

...n't like to see my end2end connections modified during the path so I decided to set up a tinc network to transfer all the Internet data until one of my servers placed in somewhere of Internet. I'm using the following values for the layer3 tinc network: Compression=11 PMTU=1480 Cipher=none ClampMSS=no ReplayWindow=32 The DNS are not routed using the tinc overlay, here you can check my "tinc-up" script [1]. To test the difference between using tinc and using the raw connection I have made a little script [2] which uses "httping" to calculate the time needed to get a web s...

I have problems connecting IPSEC VPN clients on the masqueraded network to outside VPN servers. It looks like this: ipsec-user | 192.168.1.10 (DHCP assigned) | | 192.168.1.1 fw-1 (shorewall, Linux 2.6) | 20.20.20.20 (internet) | 30.30.30.30 fw-2 (IPSEC VPN endpoint) | 192.168.100.1 | | 192.168.100.2 server ipsec-user (a road warrior) is supposed to create an IPSEC tunnel to his home

...em here. You got correct message to lower the packet size from 62.156.246.57. This is probably the last hop before your site. Marek 2020-06-23 9:40 GMT+02:00, Luca Bertoncello <lucabert at lucabert.de>: > Am 23.06.2020 09:28, schrieb Marek Greško: > > Hi > >> if you need clampmss then it is highly probable there is a PMTU >> discovery problem. The clampmss does not work for UDP. > > Is there a way to check if I have this problem? > >> I probably counted the size incorrectly. So you are able to ping with >> size 1464 and not with 1466. How about tr...

...=Yes in shorewall.conf. 3) You may now cause Shorewall to use the ''--set-mss'' option of the TCPMSS target. In other words, you can cause Shorewall to set the MSS field of SYN packets passing through the firewall to the value you specify. This feature extends the existing CLAMPMSS option in /etc/shorewall/shorewall.conf by allowing that option to have a numeric value as well as the values "Yes" and "No". Example: CLAMPMSS=1400 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.ne...

I am running red hat 9 with shorewall 1.4.6b-1, Have noticed http and smtp connections time out to some hosts I have tried to change tcp_ecn value but without results - the problem persist. I am now forced to use ISP smtp server, and ISP http proxy server to reach some sites. The problem does not exist when I was running win200k with winroute. Thanks to Help L.Djebran

...have load balancing configured and default route is removed when ppp0 interface disapears. This is my ifcfg-ppp0 config : USERCTL=yes BOOTPROTO=dialup NAME=DSLppp0 DEVICE=ppp0 TYPE=xDSL ONBOOT=yes PIDFILE=/var/run/pppoe-adsl.pid FIREWALL=NONE PING=. PPPOE_TIMEOUT=80 LCP_FAILURE=3 LCP_INTERVAL=20 CLAMPMSS=1412 CONNECT_POLL=6 CONNECT_TIMEOUT=60 DEFROUTE=no SYNCHRONOUS=no ETH=eth0 PROVIDER=DSLppp0 USER=O2 PEERDNS=no DEMAND=no PERSIST=yes As you can see, I have PERSIST=yes , which according to documentation should keep ppp0 interface ON. Well it does but only for a couple of seconds. I suspect this to...

...ash ("-") appeared in the corresponding column of an invocation of that macro, then an invalid rule was generated. 4) The comments in the /etc/shorewall/blacklist file have been updated to clarify that the PORTS column refers to destination port number/service names. 5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the order of the rules generated was incorrect causing RELATED TCP connections to not have CLAMPMSS applied. New Features in 3.0.1 1) To make the macro facility more flexible, Shorewall now examines the contents of the SOU...