Shorewall users - Jan 2003 - icmp: w.x.y.z unreachable need to defrag (mtu 296)

Hi,

I have a setup that consist of 2 firewalls connected over dialup and
PPP. Each side of the ppp are protected by shorewall. One side of the
PPP masquerades everything not addressed to the local network to its
eth0 (the net).

fw1 <---- ppp (dialup) -----> fw0 <----- NET

When making an http request to a site on the Internet from the machine
not directly connected to the net (fw1), the request hangs. I have
checked that I can ping addresses on the net and that my DNS resolution
works correctly. 

Running tcpdump on the firewall connected to the net (fw0), I see that
the request goes and comes back but the firewall sends an icmp
unreachable need to defrag packet back to the sender, in that case the
web site that I was trying to look at. I verified by running a tcpdump
outside of fw0 that this icmp message was indeed leaving the firewall
and not being dropped there.

Now my question. I have set CLAMPMSS to yes thinking that this should
solve the problem, but it didn''t. I also setup a transparent squid
cache
on fw0 and it seems to be a lot better (at least faster) but I can still
see some icmp unreachable need to defrag packets. Any idea what else I
could try?

Thanks in advance

Pascal

-- 
Pascal DeMilly <list.shorewall@newgenesys.com>

--On Friday, January 24, 2003 10:21 PM -0800 Pascal DeMilly 
<list.shorewall@newgenesys.com> wrote:
>
> Now my question. I have set CLAMPMSS to yes thinking that this should
> solve the problem, but it didn''t. I also setup a transparent squid
cache
> on fw0 and it seems to be a lot better (at least faster) but I can still
> see some icmp unreachable need to defrag packets. Any idea what else I
> could try?
>
What values have you set for ''mtu'' and ''mru''
in /etc/ppp/options? When I
used a fw-based PPTP link, I used 1000 for both.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

--On Saturday, January 25, 2003 6:48 AM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>
>
> --On Friday, January 24, 2003 10:21 PM -0800 Pascal DeMilly
> <list.shorewall@newgenesys.com> wrote:
>
>>
>> Now my question. I have set CLAMPMSS to yes thinking that this should
>> solve the problem, but it didn''t. I also setup a transparent
squid cache
>> on fw0 and it seems to be a lot better (at least faster) but I can
still
>> see some icmp unreachable need to defrag packets. Any idea what else I
>> could try?
>>
>
> What values have you set for ''mtu'' and
''mru'' in /etc/ppp/options? When I
> used a fw-based PPTP link, I used 1000 for both.
>
I was reviewing your post again and I notice that the ppp link is dialup -- 
IIRC, those should use a mtu and mru in the 500-600 byte range. Possibly 
someone else who uses dial-up can comment...

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

Tom:
I am using a dialup modem and have a mtu of 1500 this according to
"ip addr" this is runnung on a Bering-Uclib-1.0.1 using the
ppp-filter.lrp
I have not tried specifying MTU or MRU.

I am just starting to update my systems need to try some other ppp options
and document them.
Hope to be up being active soon on this and the LEAF lists.


Larry Platzek  larryp@inow.com


On Sat, 25 Jan 2003, Tom Eastep wrote:
> Date: Sat, 25 Jan 2003 09:08:17 -0800
> From: Tom Eastep <teastep@shorewall.net>
> To: Shorewall users list <shorewall-users@shorewall.net>
> Subject: Re: [Shorewall-users] icmp: w.x.y.z unreachable need to defrag
>     (mtu 296)
>
>
>
> --On Saturday, January 25, 2003 6:48 AM -0800 Tom Eastep
> <teastep@shorewall.net> wrote:
>
> >
> >
> > --On Friday, January 24, 2003 10:21 PM -0800 Pascal DeMilly
> > <list.shorewall@newgenesys.com> wrote:
> >
> >>
> >> Now my question. I have set CLAMPMSS to yes thinking that this
should
> >> solve the problem, but it didn''t. I also setup a
transparent squid cache
> >> on fw0 and it seems to be a lot better (at least faster) but I can
still
> >> see some icmp unreachable need to defrag packets. Any idea what
else I
> >> could try?
> >>
> >
> > What values have you set for ''mtu'' and
''mru'' in /etc/ppp/options? When I
> > used a fw-based PPTP link, I used 1000 for both.
> >
>
> I was reviewing your post again and I notice that the ppp link is dialup --
> IIRC, those should use a mtu and mru in the 500-600 byte range. Possibly
> someone else who uses dial-up can comment...
>
> -Tom
> --
> Tom Eastep   \ Shorewall - iptables made easy
> AIM: teastep  \ http://www.shorewall.net
> ICQ: #60745924 \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
>

--On Saturday, January 25, 2003 6:06 PM -0800 Larry Platzek 
<larryp@inow.com> wrote:
> Tom:
> I am using a dialup modem and have a mtu of 1500 this according to
> "ip addr" this is runnung on a Bering-Uclib-1.0.1 using the
ppp-filter.lrp
> I have not tried specifying MTU or MRU.
>
> I am just starting to update my systems need to try some other ppp options
> and document them.
> Hope to be up being active soon on this and the LEAF lists.
>
Thanks, Larry.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

I did some more debugging and one thing that threw me off-track at first
(I thought shorewall was blocking this particular icmp message) was
actually very telling.

I didn''t include a trace in my previous message because I thought it
was
irrelevant and primarily because it is on a testing subnet non easily
accessible from my mail reader.

But from that trace, I could see that the icmp message returned to the
web server has in its payload, the IP address of the originating machine
behind my ppp connection instead of as one should expect the NAT
gateway, and that didn''t seem right.

I googled on that find and found that interesting e-mail on the
netfilter mailing-list.
http://lists.netfilter.org/pipermail/netfilter-devel/2002-October/009511.html
which explain the problem. 

Now as far as the MTU I was using 296 (256+40) which is according to
some RFC I read the recommended value for dialup modem. I since upgraded
it to 552 (512+40) because I am using V.92 modems and get quite
frequently over 36K throughput.

I have been writing this e-mail over the last day, trying to make sure
to test everything before posting and I have found the problem. In my
PPP option file I had set the MRU but not the MTU. So even if ifconfig
shows the expected MTU always verify. Setting the MRU and MTU to the
same value got ride off the ICMP messages but nevertheless it seems that
there is an implementation problem with it in netfilter.

Thanks to everybody and particularly as always to Tom.

Pascal

On Fri, 2003-01-24 at 22:21, Pascal DeMilly wrote:
> Hi,
> 
> I have a setup that consist of 2 firewalls connected over dialup and
> PPP. Each side of the ppp are protected by shorewall. One side of the
> PPP masquerades everything not addressed to the local network to its
> eth0 (the net).
> 
> fw1 <---- ppp (dialup) -----> fw0 <----- NET
> 
> When making an http request to a site on the Internet from the machine
> not directly connected to the net (fw1), the request hangs. I have
> checked that I can ping addresses on the net and that my DNS resolution
> works correctly. 
> 
> Running tcpdump on the firewall connected to the net (fw0), I see that
> the request goes and comes back but the firewall sends an icmp
> unreachable need to defrag packet back to the sender, in that case the
> web site that I was trying to look at. I verified by running a tcpdump
> outside of fw0 that this icmp message was indeed leaving the firewall
> and not being dropped there.
> 
> Now my question. I have set CLAMPMSS to yes thinking that this should
> solve the problem, but it didn''t. I also setup a transparent squid
cache
> on fw0 and it seems to be a lot better (at least faster) but I can still
> see some icmp unreachable need to defrag packets. Any idea what else I
> could try?
> 
> Thanks in advance
> 
> Pascal
-- 
Pascal DeMilly <list.shorewall@newgenesys.com>

--On Sunday, January 26, 2003 12:33 AM -0800 Pascal DeMilly 
<list.shorewall@newgenesys.com> wrote:
> In my
> PPP option file I had set the MRU but not the MTU. So even if ifconfig
> shows the expected MTU always verify. Setting the MRU and MTU to the
> same value got ride off the ICMP messages but nevertheless it seems that
> there is an implementation problem with it in netfilter.
Or ifconfig is showing you the wrong information... :-)

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net