Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Win7 Can't Access Some Sites Behind Gentoo Router
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 653
Location: San Diego, CA

PostPosted: Fri May 04, 2012 4:58 am    Post subject: [Solved] Win7 Can't Access Some Sites Behind Gentoo Router Reply with quote

I think I'm asking in a wrong forum, but I have a hunch I might be able to get some useful guides from gentoo experts, so here it is.

I have a simple gentoo box acting as a router. A bunch of boxes are sharing Internet connection through gentoo, and gentoo is running Shorewall (firewall).

Code:
Internet ---- gentoo ---- switch ---- bunch o' boxes


The bunch of boxes is composed of several Linux distributions as well as Windows XP and Windows 7 (x64). Everything works fine, except that I can't access only certain web sites from Windows 7; all other web sites are OK, except a few that the web browsers (Firefox, Chrome, IE) try to open but eventually time out. Some other sites, such as Amazon and Google, take a lot longer than others to load.

Funny thing is, when I set the browser to use gentoo's Squid (web proxy), all the troubling sites work fine, so it must be something between Windows 7 and gentoo. Windows XP and all other Linux boxes don't have this problem. I tried turning off Windows 7's firewall and gentoo's Shorewall without success.

I'd appreciate any suggestions on what to look for. Thank you.
__
sol


Last edited by solamour on Sat May 05, 2012 6:19 am; edited 1 time in total
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Fri May 04, 2012 8:08 am    Post subject: Reply with quote

a few random shots in the dark, for whatever that's worth:

-IPV6
-MTU problem

Those are the two things that spring to mind that would be added/removed from the picture based on going through a proxy or not
start with DNS lookups from the Win7 box, maybe a packet cap, see if it's trying to connect to an IPV6 address
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 653
Location: San Diego, CA

PostPosted: Fri May 04, 2012 8:30 pm    Post subject: Reply with quote

I thought about IPv6, but other than checking it off in Win7, I'm not sure what I can do about it.

I read something about MTU, but messing with it didn't make much difference, possibly because I wasn't doing it right.

Just to make sure I'm not missing anything, brought the Win7 laptop to work and verified everything worked as expected. But when I bring the laptop home, and it wouldn't load certain sites.

Frankly I really don't care too much about the troubling sites, because I don't go there often enough to bother me, and when I need to, I can always use the web proxy server in Gentoo router. But it's still puzzling, and I'm not sure I'd feel good about it.
__
sol
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16187

PostPosted: Fri May 04, 2012 10:33 pm    Post subject: Reply with quote

What is the output of ip a on the Gentoo machine? Blank the public IP address if you want. I want to see the interface properties, rather than their actual addresses. Have you checked a packet capture of the Windows 7 machine accessing the problematic site versus an internal Linux machine (not the Gentoo router) accessing that same site successfully?
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat May 05, 2012 2:31 am    Post subject: Reply with quote

solamour wrote:
MTU

Check that your firewall is not blocking ICMP packets (used e.g. for MTU negotiation).
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 653
Location: San Diego, CA

PostPosted: Sat May 05, 2012 5:23 am    Post subject: Reply with quote

Here is the output of "ip a".

Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:01:c0:04:03:f3 brd ff:ff:ff:ff:ff:ff
    inet --.---.---.--/25 brd 255.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:01:c0:04:0c:ba brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::201:c0ff:fe04:cba/64 scope link
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
38: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:25:9c:06:13:8f brd ff:ff:ff:ff:ff:ff


Not sure how to capture packets from Windows 7, but if you'd give me some directions, I'd be able to share the result.

Firewall was the first place I checked, but making it wide open didn't make any difference. Besides, it doesn't seem to explain why Windows XP, Linux, Android phone, iPod Touch, and even Wii are OK.

Also if I hook up Windows 7 directly to the cable modem with nothing in between, everything is working fine.
__
sol
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat May 05, 2012 5:34 am    Post subject: Reply with quote

Check the MTU that Windows 7 is using. I'm sure you can google as to how.

Quote:
mtu 576

That's the lowest setting - why so low?

Quote:
link/ether 00:01:c0:04:03:f3 brd ff:ff:ff:ff:ff:ff
inet --.---.---.--/25 brd 255.255.255.255 scope global eth0

So it's only set up for IPV6?
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 653
Location: San Diego, CA

PostPosted: Sat May 05, 2012 6:18 am    Post subject: Reply with quote

Changing MTU of gentoo's eth0 from 576 to 1500 fixed the problem. Not sure why it was set to 576, because I don't remember doing it.

Code:
# ifconfig eth0 mtu 1500


Thank you everyone for taking time to respond. I knew Gentoo forum is the place to go.
__
sol
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat May 05, 2012 6:25 am    Post subject: Reply with quote

Probably your dhcp changes it.
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 653
Location: San Diego, CA

PostPosted: Sat May 05, 2012 7:54 am    Post subject: Reply with quote

Indeed. I noticed that gentoo's MTU was changed back to 576 automatically, and when I commented out "option interface_mtu" in "/etc/dhcpcd.conf", the value has been staying as is so far. Thanks for the help.
__
sol
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat May 05, 2012 9:00 am    Post subject: Reply with quote

solamour wrote:

Not sure how to capture packets from Windows 7, but if you'd give me some directions, I'd be able to share the result.


realize this is solved, but for future reference Wirehsark is available for Windows.
Download, run installer, capture=>interfaces=>start
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16187

PostPosted: Sat May 05, 2012 4:08 pm    Post subject: Reply with quote

I wanted to see the network capture as done by the Gentoo router, but with clients running on the working and non-working internal systems.

With regard to the MTU, I have encountered DHCP servers that suggest the minimum MTU to the DHCP client, even when, as in this case, a more common MTU of 1500 works at least as well, if not better. These servers are usually operated by individuals who are unaware that their server is wrong, unable to fix it, or uninterested in fixing it. Advertising an unnecessarily low MTU is bad practice, so anyone who can fix their server to advertise the proper MTU should do so. In my opinion, anyone who runs a DHCP server exposed to end users should know that this is bad practice and should have fixed it before the end users ever discovered the bad advertisement. As described in WP: MTU, there are some situations where advertising a smaller MTU is better, but I doubt that any of those justifications apply here.
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 653
Location: San Diego, CA

PostPosted: Sun May 06, 2012 6:41 am    Post subject: Reply with quote

When I ran Wireshark on Windows 7 to capture data, I noticed that with gentoo box's MTU set 576, a lot of "Time-to-live exceeded (Fragment reassembly time exceeded)" were in the log. With 1500, everything went through smoothly. Perhaps that might be the cause some sites load properly while some others don't.

I'd share the network capture from the gentoo router, if someone shows me how to do so. The gentoo box doesn't have the graphical interface, so I need to use a console-based tool.
__
sol
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun May 06, 2012 8:31 am    Post subject: Reply with quote

solamour wrote:
When I ran Wireshark on Windows 7 to capture data, I noticed that with gentoo box's MTU set 576, a lot of "Time-to-live exceeded (Fragment reassembly time exceeded)" were in the log. With 1500, everything went through smoothly. Perhaps that might be the cause some sites load properly while some others don't.

I'd share the network capture from the gentoo router, if someone shows me how to do so. The gentoo box doesn't have the graphical interface, so I need to use a console-based tool.
__
sol


tcpdump will work on the gentoo box
e.g.

Code:

tcpdump -s0 -w somefilename.pcap


wireshark can also save .cap/.pcap (i think it's just file=>save, but i dont have wireshark handy here)

in addition you can read the pcap made from tcpdump on the gentoo machine, using Wireshark on the Windows machine (usual File=>Open stuff).

there are more flags you can add to tcpdump to prune out data, but the -s0 makes sure full packets are captured, and the -w specifies to write the output to a file (with the file name taken as the argument to -w )
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 653
Location: San Diego, CA

PostPosted: Mon May 07, 2012 8:34 am    Post subject: Reply with quote

Not sure it's safe to share the capture files with the world (let me know if that's not the case), but in the name of experiment, here they are. The captures were done from the gentoo box using tcpdump.

http://dl.dropbox.com/u/9810590/mtu1500_good.pcap
http://dl.dropbox.com/u/9810590/mtu576_bad.pcap

I see a lot of texts in red color entries when I open "mtu576_bad.pcap" in Wireshark, which, I believe, is not a good sign. Anyhow, I now know what the problem is and how to solve it. The troubling web sites are loading blazingly fast. Thank you all.
__
sol
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum