Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Apr 2005 21:36:01 +1000
From:      Matthew Sullivan <matthew@uq.edu.au>
To:        freebsd-current@freebsd.org
Subject:   Re: DF (Don't frag) issues
Message-ID:  <42663EA1.3020409@uq.edu.au>
In-Reply-To: <20050420084413.GA27304@walton.maths.tcd.ie>
References:  <426426AE.2060406@uq.edu.au> <20050420084413.GA27304@walton.maths.tcd.ie>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.

--------------ms040403020704030400060305
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

I'm going to post this back to the list as Marko was also helping me get
to the bottom of it...

David Malone wrote:

>On Tue, Apr 19, 2005 at 07:29:18AM +1000, Matthew Sullivan wrote:
>  
>
>>Any reason why FreeBSD 5.2.1+ and 5.3-p9 set DF on all packets?
>>    
>>
>
>It is usual to do this to do path MTU discovery with TCP. I don't
>know what the situation with the packets that the VPN sends is.
>
>  
>
>>example with dominator [203.15.51.36] MTU at 1500, vpn server is at 
>>203.15.51.36 (all interfaces are MTU 1500 except gif0 which is 1280), 
>>other end of the VPN has interfaces at MTU 1500 which serices the 
>>10.200.254.0 network (wireless)....
>>
>>23:36:23.577880 203.15.51.36.24 > 10.200.254.98.33118: . 2315:3763(1448) 
>>ack 2537 win 33304 <nop,nop,timestamp 45880385 1548984> (DF) [tos 0x10]
>>23:36:23.578406 203.15.51.61 > 203.15.51.36: icmp: 10.200.254.98 
>>unreachable - need to frag (DF)
>>    
>>
>
>It looks like 203.15.51.61 is asking the vpn server to fragment
>some packet. I guess that the packet is a encrypted version of the
>TCP packet above? I guess that means that either the vpn server
>needs to not set the DF bit, or it needs to translate the ICMP
>message into something that it can return to the TCP sender. How
>to do that probably depends on how you configure the vpn stuff. The
>gif man page says that the DF bit should not be set on the packets
>that it generates.
>  
>
IP addresses involved are:

203.15.51.58 is the webserver (desperado.sorbs.net)
203.15.51.36 is the Old DB server (dominator.sorbs.net)
203.15.51.61 is the VPN terminator (stealth.sorbs.net)
10.200.254.2 is the other end of the VPN (oblivion.isux.com)
10.200.254.98 is my laptop running Slackware Linux, for the dump below I 
used wget to do a simple GET /

FreeBSD oblivion.isux.com 5.3-RELEASE-p8 FreeBSD 5.3-RELEASE-p8 #4: Sun Apr 
17 09:55:22 EST 2005 
root@oblivion.isux.com:/usr/obj/usr/src/sys/OBLIVION  i386
FreeBSD stealth.sorbs.net 5.3-RELEASE-p8 FreeBSD 5.3-RELEASE-p8 #1: Fri Apr 
15 15:31:30 EST 2005 root@stealth.sorbs.net:/usr/obj/usr/src/sys/STEALTH  i386
FreeBSD desperado.sorbs.net 5.3-RELEASE-p9 FreeBSD 5.3-RELEASE-p9 #3: Fri 
Apr 15 15:29:29 EST 2005 
root@desperado.sorbs.net:/usr/obj/usr/src/sys/DESPERADO  amd64

Network is like this (view with fixed font):

           10.200.254.98
                 ^
                 |
            wireless net
                 |
                 |
           10.200.254.2
            192.168.1.2 -----> wired LAN -----
          138.130.dynamic                    |
                 |     ^               192.168.1.0/24
              default  |
                 |     |
                \|/   VPN
          _______|_____|___
                       |
              INTERNET |
          _____________|___
                 |     |
                /|\   VPN
                 |     |
           203.101.254.30 <-----------
                 ^                   |
                 |                  VPN
                 |                   |
           203.101.254.254          /|\
            203.15.51.33             |
                 ^                  VPN
                 |                   |
              default                |
               route             VPN Server
                 |             203.101.254.252
                 |              203.15.51.61
                 |                   |     ^
     -----203.15.51.32/27-------------     |
     |                     |               |
     |                     |               |
203.15.51.58         203.15.51.36         |
     |                     |               |
     |                     |               |
     -->Route for 10.200.254.0/24-----------
              and 192.168.1.0/24

I hope that makes sense ;-)

Basically the current default route is the old firewall, it is being 
replaced by the server that is also the VPN server.

The VPN terminator (stealth.sorbs.net) is going to be a firewall, however it 
isn't a firewall yet, therefor the current rules are a simple:

pass in from any to any
pass out from any to any

(ipf enabled, ipfw not compiled in, pf not enabled)


Follows is a tcpdump from the VPN terminator:

root@stealth:~# tcpdump -i dc0 -n host 203.15.51.58
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes
21:29:41.026070 arp who-has 203.15.51.58 tell 203.15.51.36
21:29:46.454576 IP 10.200.254.98.33080 > 203.15.51.58.80: SWE
2722075077:2722075077(0) win 5840 <mss 1460,sackOK,timestamp 1028974 
0,nop,wscale 0>
21:29:46.454705 IP 203.15.51.58.80 > 10.200.254.98.33080: S 
1200777202:1200777202(0) ack 2722075078 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp 367292134 1028974,nop,nop,sackOK>
21:29:46.495554 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 
<nop,nop,timestamp 1028979 367292134>
21:29:50.721228 IP 10.200.254.98.33080 > 203.15.51.58.80: P 1:17(16) ack 1 
win 5840 <nop,nop,timestamp 1029400 367292134>
21:29:50.820112 IP 203.15.51.58.80 > 10.200.254.98.33080: . ack 17 win 33304 
<nop,nop,timestamp 367296606 1029400>
21:29:50.863489 IP 10.200.254.98.33080 > 203.15.51.58.80: P 17:21(4) ack 1 
win 5840 <nop,nop,timestamp 1029416 367296606>
21:29:50.865526 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 
21 win 33304 <nop,nop,timestamp 367296652 1029416>
21:29:50.865538 IP 203.15.51.58.80 > 10.200.254.98.33080: P 1449:1880(431) 
ack 21 win 33304 <nop,nop,timestamp 367296652 1029416>
21:29:50.865547 IP 203.15.51.58.80 > 10.200.254.98.33080: F 1880:1880(0) ack 
21 win 33304 <nop,nop,timestamp 367296652 1029416>
21:29:50.866097 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
21:29:50.929844 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 
<nop,nop,timestamp 1029420 367296606,nop,nop,sack sack 1 {1449:1880} >
21:29:50.935786 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 
<nop,nop,timestamp 1029420 367296606,nop,nop,sack sack 1 {1449:1881} >
21:29:57.175022 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 
21 win 33304 <nop,nop,timestamp 367303115 1029420>
21:29:57.175148 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
21:30:09.595314 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 
21 win 33304 <nop,nop,timestamp 367315837 1029420>
21:30:09.595498 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
21:30:17.561779 IP 203.15.51.58.80 > 10.200.254.98.33072: . 
4283830444:4283831892(1448) ack 2167167726 win 33304 <nop,nop,timestamp
367323997 985979>
21:30:17.561907 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
21:30:24.545302 IP 10.200.254.98.33080 > 203.15.51.58.80: P 21:23(2) ack 1 
win 5840 <nop,nop,timestamp 1032783 367296606,nop,nop,sack sack 1
{1449:1881} >
21:30:24.545430 IP 203.15.51.58.80 > 10.200.254.98.33080: R 
1200777203:1200777203(0) win 0
21:30:37.307121 IP 203.15.51.58.80 > 10.200.254.98.33073: . 
3057749166:3057750614(1448) ack 2221689087 win 33304 <nop,nop,timestamp
367344222 980032>
21:30:37.307248 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
^C
25 packets captured
201 packets received by filter
0 packets dropped by kernel

If you need it the interfaces on stealth are configured as follows:

  fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=8<VLAN_MTU>
         inet 203.101.254.252 netmask 0xffffff00 broadcast 203.101.254.255
         inet6 fe80::290:27ff:fec2:4977%fxp0 prefixlen 64 scopeid 0x1
         ether 00:90:27:c2:49:77
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
dc0: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=8<VLAN_MTU>
         inet 203.15.51.61 netmask 0xffffffe0 broadcast 203.15.51.63
         inet6 fe80::2a0:cff:fec0:cc23%dc0 prefixlen 64 scopeid 0x2
         ether 00:a0:0c:c0:cc:23
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
         inet 127.0.0.1 netmask 0xff000000
         inet6 ::1 prefixlen 128
         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
         tunnel inet 203.101.254.252 --> 138.130.223.244
         inet 203.15.51.61 --> 192.168.1.2 netmask 0xffffff00
         inet6 fe80::290:27ff:fec2:4977%gif0 prefixlen 64 scopeid 0x5

IPv4 Routing table:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            203.101.254.30     UGS         7   486813   fxp0
10.200.254/24      192.168.1.2        UGS         0     1239   gif0
127.0.0.1          127.0.0.1          UH          0       97    lo0
192.168.1          192.168.1.2        UGS         0    12666   gif0
192.168.1.2        203.15.51.61       UH          2      138   gif0
203.15.51.32/27    link#2             UC          0        0    dc0
203.15.51.33       00:00:e8:3d:c7:f2  UHLW        0    10887    dc0   1191
203.15.51.35       08:00:20:b2:58:e6  UHLW        0        6    dc0    802
203.15.51.36       00:0f:20:30:cd:f0  UHLW        0    14290    dc0   1064
203.15.51.38       02:00:06:e3:44:9a  UHLW        0       48    dc0    690
203.15.51.41       02:00:06:e3:44:9a  UHLW        0       48    dc0    154
203.15.51.42       02:00:06:e3:44:9a  UHLW        0       12    dc0    692
203.15.51.51       08:00:20:b2:58:e6  UHLW        0        0    dc0    776
203.15.51.58       00:09:5b:09:de:2a  UHLW        0       32    dc0    872
203.15.51.62       08:00:20:b2:58:e6  UHLW        0      216    dc0    137
203.101.254        link#1             UC          0        0   fxp0
203.101.254.30     00:d0:05:15:0c:0a  UHLW        1        0   fxp0   1198

Sorry if it's too much info, if there is anything missing you need, just mail...

Regards,

-- 
Matthew Sullivan
Specialist Systems Programmer
Information Technology Services
The University of Queensland


--------------ms040403020704030400060305
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIG7DCC
A3IwggJaoAMCAQICASowDQYJKoZIhvcNAQEEBQAwgaMxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
EwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTElMCMGA1UEChMcVGhlIFVuaXZlcnNp
dHkgb2YgUXVlZW5zbGFuZDEoMCYGA1UECxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2
aWNlczEbMBkGA1UEAxMSQ2VydGlmaWNhdGUgU2VydmVyMB4XDTA0MDEyMTIzMzYyMVoXDTA2
MDEyMTIzMzYyMVowgbIxCzAJBgNVBAYTAkFVMSUwIwYDVQQKExxUaGUgVW5pdmVyc2l0eSBv
ZiBRdWVlbnNsYW5kMScwJQYDVQQLEx5JbmZvcm1hdGlvbiBUZWNub2xvZ3kgU2VydmljZXMx
FjAUBgoJkiaJk/IsZAEBEwZjY21hdHQxGTAXBgNVBAMTEE1hdHRoZXcgU3VsbGl2YW4xIDAe
BgkqhkiG9w0BCQEWEW1hdHRoZXdAdXEuZWR1LmF1MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
AJsUfrw/QUqKIzDverWc2F4GFFRZmIeO+bAl+7BM6x/9frMzOtygx4QGb4oQwtOE8Sda1aIs
v+yJF3Di9EuUyvMCAwEAAaNoMGYwDgYDVR0PAQH/BAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIF
oDAfBgNVHSMEGDAWgBQmqtoyueiWTYZBinvsnzeOWLtUuzAgBgNVHREEGTAXgRVtYXR0aGV3
QGl0cy51cS5lZHUuYXUwDQYJKoZIhvcNAQEEBQADggEBAF2gZrkqZsZlHd4K/+yBN6qrpD61
hctDf7/Eg4jk6DMknEs6nvHMFUMZ4SXvkqPLnHBygTARKAs7qBSLd7mUUBOOQEgk6ovQVY6S
1CDSt3P9O6wjG0K1igtk8v6u7lkQ8p2STXqrOePVINdaucUgBO/IpeUtt9ATl1qvPTWyM/fz
oUZsIKeYjNQVEQsuimrZjdbIAFxdl1fggSngUv64wBn8wCssGrPZIZA2lpBBEW1wejoWrDOH
IIr+SspGd0i8MovDTMRSvgTERLki17FU/ANilcrSXiODKeIvpXhnQqVScnsoMSZmBmN2QIoG
SnBjNK5mYxx5E3v20VOwtP1hVdEwggNyMIICWqADAgECAgEqMA0GCSqGSIb3DQEBBAUAMIGj
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUx
JTAjBgNVBAoTHFRoZSBVbml2ZXJzaXR5IG9mIFF1ZWVuc2xhbmQxKDAmBgNVBAsTH0luZm9y
bWF0aW9uIFRlY2hub2xvZ3kgU2VydmljZXMxGzAZBgNVBAMTEkNlcnRpZmljYXRlIFNlcnZl
cjAeFw0wNDAxMjEyMzM2MjFaFw0wNjAxMjEyMzM2MjFaMIGyMQswCQYDVQQGEwJBVTElMCMG
A1UEChMcVGhlIFVuaXZlcnNpdHkgb2YgUXVlZW5zbGFuZDEnMCUGA1UECxMeSW5mb3JtYXRp
b24gVGVjbm9sb2d5IFNlcnZpY2VzMRYwFAYKCZImiZPyLGQBARMGY2NtYXR0MRkwFwYDVQQD
ExBNYXR0aGV3IFN1bGxpdmFuMSAwHgYJKoZIhvcNAQkBFhFtYXR0aGV3QHVxLmVkdS5hdTBc
MA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCbFH68P0FKiiMw73q1nNheBhRUWZiHjvmwJfuwTOsf
/X6zMzrcoMeEBm+KEMLThPEnWtWiLL/siRdw4vRLlMrzAgMBAAGjaDBmMA4GA1UdDwEB/wQE
AwIF4DARBglghkgBhvhCAQEEBAMCBaAwHwYDVR0jBBgwFoAUJqraMrnolk2GQYp77J83jli7
VLswIAYDVR0RBBkwF4EVbWF0dGhld0BpdHMudXEuZWR1LmF1MA0GCSqGSIb3DQEBBAUAA4IB
AQBdoGa5KmbGZR3eCv/sgTeqq6Q+tYXLQ3+/xIOI5OgzJJxLOp7xzBVDGeEl75Kjy5xwcoEw
ESgLO6gUi3e5lFATjkBIJOqL0FWOktQg0rdz/TusIxtCtYoLZPL+ru5ZEPKdkk16qznj1SDX
WrnFIATvyKXlLbfQE5darz01sjP386FGbCCnmIzUFRELLopq2Y3WyABcXZdX4IEp4FL+uMAZ
/MArLBqz2SGQNpaQQRFtcHo6FqwzhyCK/krKRndIvDKLw0zEUr4ExES5ItexVPwDYpXK0l4j
gyniL6V4Z0KlUnJ7KDEmZgZjdkCKBkpwYzSuZmMceRN79tFTsLT9YVXRMYIDQDCCAzwCAQEw
gakwgaMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlz
YmFuZTElMCMGA1UEChMcVGhlIFVuaXZlcnNpdHkgb2YgUXVlZW5zbGFuZDEoMCYGA1UECxMf
SW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2aWNlczEbMBkGA1UEAxMSQ2VydGlmaWNhdGUg
U2VydmVyAgEqMAkGBSsOAwIaBQCgggItMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
KoZIhvcNAQkFMQ8XDTA1MDQyMDExMzYwMVowIwYJKoZIhvcNAQkEMRYEFLYbYUKr41faDSLk
QYIBqq5KIeRFMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA
MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG6BgkrBgEEAYI3EAQx
gawwgakwgaMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
cmlzYmFuZTElMCMGA1UEChMcVGhlIFVuaXZlcnNpdHkgb2YgUXVlZW5zbGFuZDEoMCYGA1UE
CxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2aWNlczEbMBkGA1UEAxMSQ2VydGlmaWNh
dGUgU2VydmVyAgEqMIG8BgsqhkiG9w0BCRACCzGBrKCBqTCBozELMAkGA1UEBhMCQVUxEzAR
BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMSUwIwYDVQQKExxUaGUgVW5p
dmVyc2l0eSBvZiBRdWVlbnNsYW5kMSgwJgYDVQQLEx9JbmZvcm1hdGlvbiBUZWNobm9sb2d5
IFNlcnZpY2VzMRswGQYDVQQDExJDZXJ0aWZpY2F0ZSBTZXJ2ZXICASowDQYJKoZIhvcNAQEB
BQAEQHTN5T2dkP0H+C78so3XroWaTH5tJmb4viO+PZU/PltdwMoUtGvrZgAY0ooMkNiezUOP
iOHAKQajVz6ziKGV994AAAAAAAA=
--------------ms040403020704030400060305--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42663EA1.3020409>