#163352 - 28/05/2003 22:59
Where, oh, where have my little packets gone?
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
Okay, I'm stumped. I seem to inexplicably be cut off from large chunks of the web. I have a firewall connected to a DSL line. I'm using iptables with NAT turned on. My internal net has two machines on it. On my internal machines, there is a subset of websites that I just cannot seem to access -- for example, news.yahoo.com. I can get to yahoo.com, but not to any of the subdomains -- the browser just gets a timeout error. Sometimes it seems to be browser specific -- I can access google.com with Mozilla, but not Konquerer (timeout error). Sometimes the browser makes no difference. As a test, I logged onto every single one of my machines at the same time, and fired up links (so I'm using the same browser on everything), and tried to surf to news.yahoo.com. Internal net... no dice. Firewall... no problem. I can successfully ping that server from any machine, firewall or internal net. I logged the packets going to/from my firewall to the news.yahoo.com while surfing from the firewall, to see what a successful connection looks like. Then I logged the packets going to/from an internal machine. I haven't fully gone through the logs to see what's missing, but there is a significant amount of stuff that's not being passed through the firewall -- it doesn't even look as though the same sequence of packets is being sent. Any suggestions on where I start looking for the problem? I've tried simplifying my firewall rules to just let everything in/out, but it didn't seem to have much of an effect. Thanks,
|
Top
|
|
|
|
#163353 - 28/05/2003 23:28
Re: Where, oh, where have my little packets gone?
[Re: canuckInOR]
|
pooh-bah
Registered: 31/08/1999
Posts: 1649
Loc: San Carlos, CA
|
Any suggestions on where I start looking for the problem?
Do you connect to your ISP with PPPoE by any chance? If so that sounds exactly like what happens if the MTU on your machines hasn't been decreased. Most firewalls/routers that do pppoe and NAT compensate for you these days though. Do a google search for something like 'adjust pppoe mtu' for more info.
-Mike
|
Top
|
|
|
|
#163354 - 28/05/2003 23:43
Re: Where, oh, where have my little packets gone?
[Re: mcomb]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Funny, I was going to say it sounded like DNS trouble.
|
Top
|
|
|
|
#163355 - 28/05/2003 23:51
Re: Where, oh, where have my little packets gone?
[Re: tfabris]
|
pooh-bah
Registered: 31/08/1999
Posts: 1649
Loc: San Carlos, CA
|
Funny, I was going to say it sounded like DNS trouble.
Bah, never start troubleshooting by looking for the easy solution Actually, you may very will be correct, the MTU thing just popped into my head because I spent some time fighting those exact symptoms when ISPs had just started implementing PPPoE a couple of years back and there was almost no documentation on the problem.
-Mike
|
Top
|
|
|
|
#163356 - 29/05/2003 00:30
Re: Where, oh, where have my little packets gone?
[Re: mcomb]
|
veteran
Registered: 19/06/2000
Posts: 1495
Loc: US: CA
|
Yep. I agree. I've seen this problem a few times.
If this is how he's connecting it's a fairly easy fix:
From: http://www.roaringpenguin.com/pppoe/how-to-connect.txt
I) I can browse some web sites just fine, but others stall forever.
There is probably a buggy router or firewall between you and the Web server.
One possible workaround: In /etc/ppp/pppoe.conf, find the line which reads:
CLAMPMSS=1412
Try lowering the 1412 until it works (go down in steps of 100 or so.) Each
time you lower the value, you have to restart your connection like this:
adsl-stop; adsl-start
This should work around buggy routers which do not support Path MTU discovery.
_________________________
Donato MkII/080000565 MkIIa/010101253 ricin.us
|
Top
|
|
|
|
#163357 - 29/05/2003 09:09
Re: Where, oh, where have my little packets gone?
[Re: canuckInOR]
|
addict
Registered: 24/08/1999
Posts: 564
Loc: TX
|
not just applied an update to XP by chance?
But I suppose if you are running Konquerer then you must be on a *ix system, so you don't do stuff like that.!
_________________________
==========================
the chewtoy for the dog of Life
|
Top
|
|
|
|
#163358 - 29/05/2003 17:30
Re: Where, oh, where have my little packets gone?
[Re: canuckInOR]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
Okay. Going for highly unlikely here but you haven't turned on ECN support have you?
- Trevor
|
Top
|
|
|
|
#163359 - 29/05/2003 23:35
Re: Where, oh, where have my little packets gone?
[Re: mcomb]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
Do you connect to your ISP with PPPoE by any chance? If so that sounds exactly like what happens if the MTU on your machines hasn't been decreased. Most firewalls/routers that do pppoe and NAT compensate for you these days though. Do a google search for something like 'adjust pppoe mtu' for more info. I do. I know I lowered the MTU when I first set it up, though. Hmm.... my ppp0 is set to 1492, but eth0 (the physical card ppp0 is running over) is set to 1500. I'll try lowering this, and see what happens.
|
Top
|
|
|
|
#163360 - 29/05/2003 23:40
Re: Where, oh, where have my little packets gone?
[Re: tfabris]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
DNS Yeah, I wondered about that when I first ran into this, and it's what my brother suggested might be the problem, as well. However, that wouldn't account for why I can ping the server in question using its canonical host name, and get a reply back, but get no reply with http. If it's a problem with the MTU, as suggested, that makes more sense, since (I'm guessing) the ICMP packets are tiny, whereas the HTTP packets in question are much bigger, and get stuck.
|
Top
|
|
|
|
#163364 - 30/05/2003 00:23
Re: Where, oh, where have my little packets gone?
[Re: canuckInOR]
|
pooh-bah
Registered: 31/08/1999
Posts: 1649
Loc: San Carlos, CA
|
MTU of 1492 seems to be hardwired somehow
Yeah, the pppoe spec is for 1492 so you have to make everything else match or some of your packets misteriously disapear. Try lowering the MTU on the NIC in one of your client machines that is having issues to something under 1492 and see if that helps. If it works then you'll want to figure out how to get your NAT software to fragment packets if necessary to keep them under that size.
-Mike
|
Top
|
|
|
|
#163365 - 30/05/2003 01:09
Re: Where, oh, where have my little packets gone?
[Re: mcomb]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
Woot. I managed to get it going with an MTU of 1452. Everything's happy now. It wasn't *quite* as simple as just changing a setting in the config file (that was part of it, though), but not as bad as I was expecting (i.e. I didn't have to hunt down the source code to the non-roaring penguin pppd implementation of pppoe that I was using). Thanks for the suggestions everybody!
A
|
Top
|
|
|
|
#163366 - 30/05/2003 03:43
Re: Where, oh, where have my little packets gone?
[Re: canuckInOR]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
ECN is Explicit Congestion Notification.and it's an extension to IPv4. It allows routers to tell each other about network congestion. THe problem is that some firewalls and routers don't understand the bit that turns on ECN and think the packet is invalid. Therefore you'd not be able to connect to certain websites and services.
It was unlikely you've turn it on but didn't hurt anything to ask
- Trevor
|
Top
|
|
|
|
#163367 - 30/05/2003 07:12
Re: Where, oh, where have my little packets gone?
[Re: canuckInOR]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
ICMP packets are tiny, whereas the HTTP packets in question are much bigger, and get stuck. For future reference, this is fairly easy to diagnose, as most ping programs have a flag to allow you to change the size of the payload in the echo request packet.
_________________________
Bitt Faulk
|
Top
|
|
|
|
|
|