Re: MacOS, Debian router and ADSL/PPPoE (OT Net Tuner does not work for HTTP)

To: debian-isp@lists.debian.org
Subject: Re: MacOS, Debian router and ADSL/PPPoE (OT Net Tuner does not work for HTTP)
From: Stephane Bortzmeyer <bortzmeyer@netaktiv.com>
Date: Thu, 31 Jan 2002 10:37:15 +0100
Message-id: <[🔎] 20020131093715.GC2392@ldapmail.netaktiv.com>
In-reply-to: <[🔎] 20020130164448.GA7049@ldapmail.netaktiv.com>
References: <[🔎] 20020130164448.GA7049@ldapmail.netaktiv.com>

On Wed, Jan 30, 2002 at 05:44:48PM +0100,
 Stephane Bortzmeyer <bortzmeyer@netaktiv.com> wrote 
 a message of 27 lines which said:

> I have a Debian router which connects to an ADSL/PPPoE line (therefore
> with a PPP interface and a MTU of 1492).
> 
> Behind it are Linux machines, MS-Windows boxes and MacOS toys, all
> NATed (i have only one IP address) by Netfilter/iptables (router

OK, the best solution, by far, because it needs a change only on the
router, is to use "MSS clamping", an option of recent pppoe (not in
potato) which modify on the fly the MSS parameter of TCP connections
(other IP packets are unaffected but fragmentation should handle it,
see below).

So, I changed my /etc/ppp/peers/provider to have:

pty "pppoe -I eth1 -T 80 -m 1412"

Now, everyone is happy, without needing an extra software.

Now, the theory. If I don't change the MTU of "client" machines,
fragmentation will occur and everything will work (see later for
TCP-specific problems and do not forget also that some stupid
firewalls may break fragmentation if they stop some ICMP packets),
albeit with slower performances (so you may want to change the MTU for
speeding up UDP or other non-TCP applications).

spoutnik:/# traceroute  www.gitoyen.net 1500
traceroute to www.gitoyen.net (80.67.160.2), 30 hops max, 1500 byte packets
 1  elsa.netaktiv.com (172.21.0.1)  2.937 ms  2.533 ms  3.839 ms
 2  loopback1-lns201-tip-telehouse.nerim.net (62.4.16.251)  141.470 ms  141.409 ms  145.209 ms
...

If I forbid fragmentation, it will no longer work:

spoutnik:# traceroute -F www.gitoyen.net 1500
traceroute to www.gitoyen.net (80.67.160.2), 30 hops max, 1500 byte packets
 1  elsa.netaktiv.com (172.21.0.1)  2.883 ms  4.812 ms  2.467 ms
 2  elsa.netaktiv.com (172.21.0.1)  2.487 ms !F-1492  2.525 ms !F-1492  2.461 ms !F-1492

If I change the MTU, I will no longer emit such packets and
performances will be better (providing the application choose
wisely its packet size):

spoutnik:# ifconfig eth0 mtu 1492
spoutnik:# traceroute  www.gitoyen.net 1500
traceroute to www.gitoyen.net (80.67.160.2), 30 hops max, 1500 byte packets
traceroute: sendto: Message too long
 1 traceroute: wrote www.gitoyen.net 1500 chars, ret=-1

Now, for TCP. Many TCP programs/stacks will set DF (Don't fragment)
and will rely on the ICMP packet (which tells the maximum size, see
the 1492 in the above message) to fix the size of segments (warning:
some firewalls may stupidly stop these packets). But they may announce
wrong MSS (maximum segment size). Either you fix every application/TCP
stack or you use "MSS clamping" (the -m option of pppoe) which will
hack it on the fly and allow TCP applications to send only small
enough packets.

Thanks a lot for the explanations and for the help on my problem.

Reply to:

References:
- MacOS, Debian router and ADSL/PPPoE (OT Net Tuner does not work for HTTP)
  - From: Stephane Bortzmeyer <bortzmeyer@netaktiv.com>

Prev by Date: Re: Raid 1 + lilo
Next by Date: Debian in 100 MB ?
Previous by thread: Re: MacOS, Debian router and ADSL/PPPoE (OT Net Tuner does not work for HTTP)
Next by thread: [no subject]
Index(es):
- Date
- Thread