From owner-freebsd-net@FreeBSD.ORG Tue Dec 27 09:28:42 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C75C116A43B for ; Tue, 27 Dec 2005 09:28:42 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74DF043D49 for ; Tue, 27 Dec 2005 09:28:41 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id D975FE6; Tue, 27 Dec 2005 04:29:01 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 9CFA227A9; Tue, 27 Dec 2005 04:29:00 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1ErB8H-0000gF-Ds; Tue, 27 Dec 2005 09:28:37 +0000 Date: Tue, 27 Dec 2005 09:28:37 +0000 From: Brian Candler To: Oleg Tarasov Message-ID: <20051227092837.GA2564@uk.tiscali.com> References: <1687545235.20051226134150@osk.com.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1687545235.20051226134150@osk.com.ua> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: Router on 6.0-stable fails to route tcp packets due to NAT?? malfunction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2005 09:28:43 -0000 On Mon, Dec 26, 2005 at 01:41:50PM +0200, Oleg Tarasov wrote: > mpd configuration is attached in mpd.conf and mpd.links. Shortly, ng0 > is a PPPoE connection on rl1 interface. ^^^^^ Sounds to me like an MTU problem. Windows machine sends a 1500-byte packet, but it can't fit into an ethernet frame along with PPPoE encapsulation, so the router should either send back an ICMP error (if DF bit is set), or it should fragment (if DF bit is not set). With DF, the Windows client is supposed to automatically detect that the path MTU has been exceeded, and try again with a smaller MTU. The tcpdumps you show indicate DF is set. They don't show any ICMP responses, but then again you didn't show the *exact* tcpdump command line you gave. I am guessing you did something like tcpdump -i rl0 tcp port 80 because you let tcpdump perform DNS lookups which means you omitted the -n flag (bad idea), but I don't see the DNS packets going back and forth, which means you had some sort of tcpdump filter which doesn't show DNS packets. Better would be: # tcpdump -i ng0 -n -s 1500 -X host 209.132.176.176 # tcpdump -i rl0 -n -s 1500 -X host 192.168.82.111 so that you see all packets to/from the clients, _including_ ICMP. Something is causing a 'R' (RST) to be sent, terminating the TCP connection. I'm not sure which device this is. Anyway, there's an easy way you can prove whether MTU is the problem or not: on the Windows client, manually set the MTU to something smaller, like 1460. If that works, you know exactly what the problem is. I _think_ your problem is that you are using natd, which is creaking and ancient and maybe does not support NAT for path MTU discovery. But it maybe that PPPoE doesn't support DF properly either. You didn't show your full ipfw ruleset and natd configuration so it's hard to analyse further. Does the PPPoE connection set up some sort of virtual interface, e.g. a 'tun' interface? If so you could try setting a lower MTU on it. Otherwise, personally I would try switching from ipfw/natd to pf. Hope that gives you a few ideas. Brian.