Date: Tue, 10 May 2005 01:11:26 +0200 From: Emanuel Strobl <Emanuel.strobl@gmx.net> To: freebsd-questions@freebsd.org Cc: Frank de Bot <freebsd@searchy.nl> Subject: Re: ipfw + natd => some sites won't work :-S Message-ID: <200505100111.28366@harrymail> In-Reply-To: <427FEC8C.4050005@searchy.nl> References: <427FE73C.5080408@searchy.net> <200505100051.08155@harrymail> <427FEC8C.4050005@searchy.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart28629798.KnVd7nsWDJ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Dienstag, 10. Mai 2005 01:04 schrieb Frank de Bot: > Emanuel Strobl wrote: > > Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: > >>Hi, > >> > >>I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites > >> like Google for instance does work, but many other don't. All other > >> protocols > > > > I guess you're using an A-DSL line with PPPoE, right? > > If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the > > maximum segment sice of TCP sessions is reduced by 8 bytes which > > doesn't know the machine behind the NAT box. Your NAT box has to alter > > the mss field in the TCP header because many sites have wrong > > configured firewalls which simply block all ICMP traffic, so the error > > from your router "must fragment" never reaches to originating host. So > > the sent packaet is too big to go over your line and the "Must > > Fragment" bit is ingnored... you'll never receive what you've > > requested. > > > > I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does > > with "max-mss". > > I'm not using an ADSL with PPPoE. But the configuration used is kinda > non-standard. I'll try to explain with a little drawing: > > > =3D Laptop =3D IP: 10.0.5.21 (/24) > > > =3D Server 1 =3D IP: 10.0.5.2 > > | IP: 10.0.3.1 > | > | (ipip tunnel) > > =3D Server 2 =3D IP: 10.0.3.2 > > | IP %external_ip% > > % internet % > > Server 1 is a Linux box > Server 2 is the FreeBSD performing the NAT > > Tracerouting occures without anyproblem. From the laptop to the internet > 10.0.5.2 -> 10.0.3.2 -> %internet% The problem is the same: IP-IP tunneling reduces TCPs mss which the linux=20 box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's=20 the point where you have to dig. Good luck, =2DHarry > > > During testing I've also dumped the whole firewall exept the points > written in the starting post. The behaviour stays exactly the same. > > > -Harry > > > >>seems to be working properly. But why are sites failing to do > >> anything? I got running natd with the verbose option and successfull > >> request of google is indentical to a random other site :S > >>The firewall I use is rather big. the most important piece is: > >> > >>01200 723 652298 divert 8668 ip from any to 82.94.238.70 via > >> fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any > >> 01200 0 0 allow ip from any to 10.0.5.0/24 > >>01201 524 85399 allow ip from 82.94.238.70 to any > >>01201 3 144 allow ip from any to 82.94.238.70 > >>01500 871494 216106437 allow tcp from any to any established > >> > >> > >>/etc/natd.conf is: > >> > >>alias_address %external_ip% > >>verbose > >> > >> > >>It just puzzles me why only some http request would fail and > >> everything works fine! > >>Anyone got any idea? > >> > >> > >>Thanks in advanced, > >> > >>Frank de Bot > >>_______________________________________________ > >>freebsd-questions@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >>To unsubscribe, send any mail to > >>"freebsd-questions-unsubscribe@freebsd.org > > > > " > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" --nextPart28629798.KnVd7nsWDJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCf+4gBylq0S4AzzwRAljGAKCSkO6furycUZngskJfmzFrQwwwPgCeIbLf 2IRjDeBDRnODiOvNH6zfEDM= =Cqkr -----END PGP SIGNATURE----- --nextPart28629798.KnVd7nsWDJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505100111.28366>