Date: Mon, 24 Sep 2001 05:00:03 -0700 (PDT) From: Ruslan Ermilov <ru@FreeBSD.ORG> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/30775: natd doesn't work with Path MTU discovery Message-ID: <200109241200.f8OC03q55669@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/30775; it has been noted by GNATS. From: Ruslan Ermilov <ru@FreeBSD.ORG> To: ken@kdm.org Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: kern/30775: natd doesn't work with Path MTU discovery Date: Mon, 24 Sep 2001 14:50:13 +0300 Actually, natd(8) (libalias(3)) handles these all right. Make sure you are not blocking ICMP in your firewall. Please send me the output from a "natd -v" session that contains these ICMP packets. Having your firewall rules listed would also help. On Sun, Sep 23, 2001 at 05:22:45PM -0600, ken@kdm.org wrote: > > A 4.4-stable (or most any other version of FreeBSD) box with two nics. One > is on the 'external' net, one on the internal net (with RFC 1918 > addresses). > > ipfw and natd are configured to provide NAT functionality. > > >Description: > > natd doesn't handle need-to-frag ICMP packets coming back from the router, > so the machine behind the NAT box doesn't know that it needs to reduce the > route MTU for a given site. > > >How-To-Repeat: > > Crank up tcpdump on the NAT box and a machine behind the NAT. > > At least in my case, go to www.schwab.com using a web browser on a machine > behind the NAT, and watch the tcpdump output. I see ICMP need-to-frag > packets coming back into the NAT box on the external interface, but they > aren't sent back to the machine behind the NAT box. > > The problem with www.schwab.com may or may not be reproducible, depening on > whether the problem is closer to me or closer to schwab. > > In any case, natd should handle ICMP need to frag packets, since TCP Path > MTU discovery doesn't work without them. > > >Fix: > > potential work-arounds: > > Run an application proxy server on a machine that isn't behind natd. > > Run the application on a machine that isn't behind natd. > > Investigate whether ipfilter's NAT code can handle path MTU discovery. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109241200.f8OC03q55669>