Weblog entry #1 for rak
See all weblog entries made by rak.
#1
ADSL router problem after Kernel update
Posted by rak on Sat 4 Mar 2006 at 02:01
Recently I had to reinstall my home router, this was and old woody dist-upgrade to sarge with a 2.4.27 kernel. I've a privet network 192... for a couple of Windows and lynux boxs.
The machine crash and I only backup some config files and the data partition.
After installing a brand new sarge with update package and the precompile kernel 2.6.8. I began to notice that there where some troubles connecting to some www sites, from the windows boxs. Especially sites like www.mininova.org or www.astalavista.com couldnt be access at all, or the connection would take long and hang. Some times the page would half load, and making a reload of the page it could eventually load most of it.
At the same time if I try to load that same page with lynx from the router it would load fast and without any problem.
The iptables configuration is simple and work fine untill the upgrade:
bane:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere isp.provider.com tcp dpts:6881:6999 to:192.168.0.3:6881-6999
DNAT tcp -- anywhere isp.provider.com tcp dpts:10000:60000 to:192.168.0.3:10000-60000
DNAT udp -- anywhere isp.provider.com udp dpt:4672 to:192.168.0.3:4672
DNAT tcp -- anywhere isp.provider.com tcp dpt:4662 to:192.168.0.3:4662
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I google arround but found nothing about it, some references about net.ipv4, in kernel 2.6, but the config wos ok.
Did any one els here something similar to this problem or have any idea what could be wrong.
The machine crash and I only backup some config files and the data partition.
After installing a brand new sarge with update package and the precompile kernel 2.6.8. I began to notice that there where some troubles connecting to some www sites, from the windows boxs. Especially sites like www.mininova.org or www.astalavista.com couldnt be access at all, or the connection would take long and hang. Some times the page would half load, and making a reload of the page it could eventually load most of it.
At the same time if I try to load that same page with lynx from the router it would load fast and without any problem.
The iptables configuration is simple and work fine untill the upgrade:
bane:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere isp.provider.com tcp dpts:6881:6999 to:192.168.0.3:6881-6999
DNAT tcp -- anywhere isp.provider.com tcp dpts:10000:60000 to:192.168.0.3:10000-60000
DNAT udp -- anywhere isp.provider.com udp dpt:4672 to:192.168.0.3:4672
DNAT tcp -- anywhere isp.provider.com tcp dpt:4662 to:192.168.0.3:4662
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I google arround but found nothing about it, some references about net.ipv4, in kernel 2.6, but the config wos ok.
Did any one els here something similar to this problem or have any idea what could be wrong.
Comments on this Entry
Hrm... Sorry, thanx for any help. =)
cya
rak
cya
rak
[ Parent | Reply to this comment ]
Posted by Utumno (218.160.xx.xx) on Mon 6 Mar 2006 at 17:14
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
How do you connect to your ISP? Is it a Bridged/DHCP or PPPoE? If it is PPPoE, your symptoms sound like the MTU of the external network interface is too high. Probably should be 1492, or even lower if some routers in your network are misconfigured... Try lowering it and see if it helps.
[ Parent | Reply to this comment ]
Connection is throug pppoe and is using the default MTU I'll try it and post a comment.
Thanks
rak
Thanks
rak
[ Parent | Reply to this comment ]
I try some changes on the MTU but it didn't work so desided to google arround, now taking the MTU within the search, and find some advice in lartc cookbook which seems to solve the problem. To resume the page you have to isue the following iptable command:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Which will circunvent the Path MTU Discover problem and use Maximun Segment Size MSS, which might break both ends, but it works fine for me and for some other ppl as lartc claims.
In any case here is the link to larc.
http://lartc.org/howto/lartc.cookbook.mtu-mss.html
Thnx to Utumno for puting me on the trail, and to Bert Hubert for lartc.
Cya,
rak
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Which will circunvent the Path MTU Discover problem and use Maximun Segment Size MSS, which might break both ends, but it works fine for me and for some other ppl as lartc claims.
In any case here is the link to larc.
http://lartc.org/howto/lartc.cookbook.mtu-mss.html
Thnx to Utumno for puting me on the trail, and to Bert Hubert for lartc.
Cya,
rak
[ Parent | Reply to this comment ]