From owner-freebsd-questions@FreeBSD.ORG Mon May 9 23:04:45 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C98E816A4EB for ; Mon, 9 May 2005 23:04:45 +0000 (GMT) Received: from s001.searchy.nl (s001.searchy.nl [82.94.249.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3504A43D7D for ; Mon, 9 May 2005 23:04:45 +0000 (GMT) (envelope-from freebsd@searchy.nl) Received: from [192.168.1.13] (53525E6F.cable.casema.nl [83.82.94.111]) by s001.searchy.nl (Postfix) with ESMTP id 156328DF50 for ; Tue, 10 May 2005 01:04:44 +0200 (CEST) Message-ID: <427FEC8C.4050005@searchy.nl> Date: Tue, 10 May 2005 01:04:44 +0200 From: Frank de Bot User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <427FE73C.5080408@searchy.net> <200505100051.08155@harrymail> In-Reply-To: <200505100051.08155@harrymail> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw + natd => some sites won't work :-S X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 23:04:45 -0000 Emanuel Strobl wrote: > Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: > >>Hi, >> >>I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like >>Google for instance does work, but many other don't. All other protocols > > > I guess you're using an A-DSL line with PPPoE, right? > If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the > maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't > know the machine behind the NAT box. Your NAT box has to alter the mss > field in the TCP header because many sites have wrong configured firewalls > which simply block all ICMP traffic, so the error from your router "must > fragment" never reaches to originating host. So the sent packaet is too > big to go over your line and the "Must Fragment" bit is ingnored... you'll > never receive what you've requested. > > I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with > "max-mss". > I'm not using an ADSL with PPPoE. But the configuration used is kinda non-standard. I'll try to explain with a little drawing: = Laptop = IP: 10.0.5.21 (/24) | | = Server 1 = IP: 10.0.5.2 | IP: 10.0.3.1 | | (ipip tunnel) | = Server 2 = IP: 10.0.3.2 | IP %external_ip% | % internet % Server 1 is a Linux box Server 2 is the FreeBSD performing the NAT Tracerouting occures without anyproblem. From the laptop to the internet 10.0.5.2 -> 10.0.3.2 -> %internet% During testing I've also dumped the whole firewall exept the points written in the starting post. The behaviour stays exactly the same. > -Harry > > >>seems to be working properly. But why are sites failing to do anything? >>I got running natd with the verbose option and successfull request of >>google is indentical to a random other site :S >>The firewall I use is rather big. the most important piece is: >> >>01200 723 652298 divert 8668 ip from any to 82.94.238.70 via fxp0 >>01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any >>01200 0 0 allow ip from any to 10.0.5.0/24 >>01201 524 85399 allow ip from 82.94.238.70 to any >>01201 3 144 allow ip from any to 82.94.238.70 >>01500 871494 216106437 allow tcp from any to any established >> >> >>/etc/natd.conf is: >> >>alias_address %external_ip% >>verbose >> >> >>It just puzzles me why only some http request would fail and everything >>works fine! >>Anyone got any idea? >> >> >>Thanks in advanced, >> >>Frank de Bot >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to >>"freebsd-questions-unsubscribe@freebsd.org > > "