AW: sudden problems with masqueraded connections over a t-dsl line

["Peter Lieven" <debian-lists@dlh.net>]

many thanks karl, martin,waldemar and nicos,

in deep my provider changed its behaviour when dealing with oversized
packets. pinged ptp is still not possible, but this is only annoying
if you do a traceroute.

if anyone is experiencing the same problem, with kernel 2.4.3+ and recent
iptables the following will fix this issues:

iptables -A FORWARD -p tcp -o ppp0 --tcp-flags SYN,RST SYN -j
CPMSS  --clamp-mss-to-pmtu

thanks
peter

-----Ursprüngliche Nachricht-----
Von: Karl E. Jorgensen [mailto:karl@jorgensen.com]
Gesendet: Dienstag, 11. Juni 2002 22:43
An: Debian-User@Lists. Debian. Org
Betreff: Re: sudden problems with masqueraded connections over a t-dsl
line


You got to fix those linebreaks; they were so bad I *had* to reformat
things... And the odd uppercase letter wouldn't hurt either...

Disclaimer: I'm not familiar with ADSL; I'm on dialup.

On Tue, Jun 11, 2002 at 10:07:59PM +0200, Peter Lieven wrote:
> since friday my isp german telekom changed some configuration in their
> routers.
>
> everytime when i connect to remote host through my firewall who is
> masquerading internal connections the connection to the remote host
> freezes after a certain number of bytes has been transferred.

I presume that "ping" works OK? (you probably checked, but it's not
clear from what you write)

> i changed nothing on my firewall config. i asked the isp to reset my
> dsl port and check their equipment. i also changed the masquerading
> port range in case they want to prevent their customers from
> masquerading (don't ask why).
>
> when i ssh to my firewall and connect directly to the remote machine
> everything is working fine. at the moment i installed some port
> forwarders on my firewall to connect directly to a remote machine. if
> i use them or a some other local proxy it works fine. only masqueraded
> connections are stalling
>
> is there anyone out there who had the same experience or knows any
> workarounds or has any ideas how i can find out what exactly freezes
> the connection.

I've been suffering the same sort of problems. Symptoms were:
- Downloading of mail would work. Until a "big" email was being fetched,
  where it would appear as if the pop3 server just died (=timeout at my
  end)
- Web pages would download fine, but very large images would only ever
  partially download
- Setiathome would never manage to get a full work unit.

>From the firewall itself, everything would work; but anything behind the
firewall would suffer the above symptoms.

My workaround was to lower the MTU on my dialup interface - an mtu of
750 and using the --clamp-mss-to-pmtu (man iptables(8)) in the firewall
setup did the trick for me. I still doubt whether this is a *real*
solution; it feels more like a work-around. Also, it introduces a bit
more TCP/IP overhead (relatively speaking) and decreases the net
bandwidth available. But it works for me.

YMMV

> one strange thing that came along with this that i'm not able to ping
> my p-t-p partner, but its pingable from outside.  i even used a
> windows machine to do the dialip connection and nat via ics.  same
> strange behaviour.

Sounds odd. But then I don't know ADSL, so I can't comment.

HTH

--
Karl E. Jørgensen
karl@jorgensen.com
www.karl.jorgensen.com
/"\
\ /  ASCII Ribbon Campaign
 x   - Say NO to HTML in email
/ \  - Say NO to Word documents in email (and Macros!)


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org