Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
packet loss with iptables nat router (MTU problem) [solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
till
n00b
n00b


Joined: 19 Sep 2007
Posts: 22

PostPosted: Mon May 19, 2014 4:05 pm    Post subject: packet loss with iptables nat router (MTU problem) [solved] Reply with quote

Hi,
i have a very strange error regarding my new gentoo router. I experience packet loss, but only to some networks and on some ports/services.

i have set up the router to connect my Internet connection (ppp0 over eth1) with my local LAN (eth0 / 192.168.2.15 network 192.168.2.0/25).

i have also configured iptables together with NAT:

Code:

wgs-l13 ~ # iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:rplay to:192.168.2.20:5555
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:ftp-data to:192.168.2.20:20
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:ftp to:192.168.2.20:21
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:2202 to:192.168.2.31:22
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:8001 to:192.168.2.34:8001
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:8002 to:192.168.2.37:8002
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:8090 to:192.168.2.39:8090
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:44301 to:192.168.2.34:44301
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:44302 to:192.168.2.37:44302
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:44303 to:192.168.2.31:443
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60000 to:192.168.2.20:60000
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60001 to:192.168.2.20:60001
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60002 to:192.168.2.20:60002
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60003 to:192.168.2.20:60003
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60004 to:192.168.2.20:60004
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60005 to:192.168.2.20:60005
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60006 to:192.168.2.20:60006
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60007 to:192.168.2.20:60007
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60008 to:192.168.2.20:60008
    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60009 to:192.168.2.20:60009

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    ppp0    anywhere             anywhere           

Chain LOGMASQUERADE (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             LOG level warning prefix "FW-MASQUERADE: "
    0     0 MASQUERADE  all  --  any    any     anywhere             anywhere           
wgs-l13 ~ # iptables -v -L
Chain INPUT (policy ACCEPT 47 packets, 2932 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  ppp0   any     anywhere             anywhere             tcp dpts:0:1023
    0     0 DROP       udp  --  ppp0   any     anywhere             anywhere             udp dpts:0:1023

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  eth0   any     anywhere             192.168.2.0/25     
   24  6936 ACCEPT     all  --  eth0   any     192.168.2.0/25       anywhere           
   33  2216 ACCEPT     all  --  ppp0   any     anywhere             192.168.2.0/25     

Chain OUTPUT (policy ACCEPT 37 packets, 7512 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain LOGACCEPT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             LOG level warning prefix "FW-ACCEPT: "
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere           

Chain LOGDROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             LOG level warning prefix "FW-DROP: "
    0     0 DROP       all  --  any    any     anywhere             anywhere         



At this point i am able to browse the many Internet sites and also ssh to many servers with a stable connection.

However, there are some networks, that are suffering packages loss. E.g. if i try to reach my university's unimail website, it hangs, if i open movie4k in a browser it also hangs. I have also experiences hanging ssh session to the network of my university. sometimes i am able to connect but if i cat a file, the network is lost after a few lines displayed. The strange thing is, that ftp or imap is working well on this networks. only http(s) and ssh are suffering. so i guess this is a masquerading issue, but i have no clue what kind of.

so i tcpdumped a ssh session from my unsiverty's computer (78.50.73.80) to my home server (192.168.2.20) over the router (public address at this time: 78.50.73.80) and there are some packages that never show up on the other side. the strange thing is, that the package does not show up even when it is resend, while other packages go through:

University Computer:
Code:

granit ~ # tcpdump -i br0 -n -vvv 'host 78.50.73.80 and tcp port 5555'
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:38:59.821397 IP (tos 0x0, ttl 64, id 26615, offset 0, flags [DF], proto TCP (6), length 60)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [S], cksum 0xb874 (correct), seq 2341522184, win 29200, options [mss 1460,sackOK,TS val 23637247 ecr 0,nop,wscale 7], length 0
16:38:59.842965 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [S.], cksum 0xa7c1 (correct), seq 1166425740, ack 2341522185, win 28960, options [mss 1460,sackOK,TS val 2035291183 ecr 23637247,nop,wscale 7], length 0
16:38:59.843010 IP (tos 0x0, ttl 64, id 26616, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x46b3 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 0
16:38:59.843218 IP (tos 0x0, ttl 64, id 26617, offset 0, flags [DF], proto TCP (6), length 83)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [P.], cksum 0x112e (correct), seq 1:32, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 31
16:38:59.863839 IP (tos 0x0, ttl 50, id 10953, offset 0, flags [DF], proto TCP (6), length 52)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x4681 (correct), seq 1, ack 32, win 227, options [nop,nop,TS val 2035291204 ecr 23637269], length 0
16:38:59.884297 IP (tos 0x0, ttl 50, id 10954, offset 0, flags [DF], proto TCP (6), length 83)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x10f6 (correct), seq 1:32, ack 32, win 227, options [nop,nop,TS val 2035291210 ecr 23637269], length 31

16:38:59.884335 IP (tos 0x0, ttl 64, id 26618, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x4631 (correct), seq 32, ack 32, win 229, options [nop,nop,TS val 23637310 ecr 2035291210], length 0
16:38:59.884917 IP (tos 0x0, ttl 64, id 26619, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xf3db (correct), seq 32:1480, ack 32, win 229, options [nop,nop,TS val 23637311 ecr 2035291210], length 1448
16:38:59.884926 IP (tos 0x0, ttl 64, id 26620, offset 0, flags [DF], proto TCP (6), length 572)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [P.], cksum 0xc213 (correct), seq 1480:2000, ack 32, win 229, options [nop,nop,TS val 23637311 ecr 2035291210], length 520

16:38:59.904613 IP (tos 0x0, ttl 50, id 10956, offset 0, flags [DF], proto TCP (6), length 1492)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x85fd (correct), seq 32:1472, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 1440

16:38:59.905637 IP (tos 0x0, ttl 50, id 10959, offset 0, flags [DF], proto TCP (6), length 64)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x4eb5 (correct), seq 1680, ack 32, win 235, options [nop,nop,TS val 2035291246 ecr 23637310,nop,nop,sack 1 {1480:2000}], length 0

16:38:59.907315 IP (tos 0x0, ttl 50, id 10957, offset 0, flags [DF], proto TCP (6), length 60)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x086c (correct), seq 1472:1480, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 8
16:38:59.907342 IP (tos 0x0, ttl 64, id 26621, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x38ab (correct), seq 2000, ack 1480, win 251, options [nop,nop,TS val 23637333 ecr 2035291211], length 0
16:38:59.911577 IP (tos 0x0, ttl 64, id 26622, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xee01 (correct), seq 32:1480, ack 1480, win 251, options [nop,nop,TS val 23637338 ecr 2035291211], length 1448

16:38:59.932578 IP (tos 0x0, ttl 50, id 10958, offset 0, flags [DF], proto TCP (6), length 252)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x6942 (correct), seq 1480:1680, ack 32, win 227, options [nop,nop,TS val 2035291245 ecr 23637310], length 200
16:38:59.972567 IP (tos 0x0, ttl 64, id 26623, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x3768 (correct), seq 2000, ack 1680, win 274, options [nop,nop,TS val 23637399 ecr 2035291245], length 0
16:39:00.132583 IP (tos 0x0, ttl 64, id 26624, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xec23 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23637559 ecr 2035291245], length 1448
16:39:00.575593 IP (tos 0x0, ttl 64, id 26625, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xea68 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23638002 ecr 2035291245], length 1448
16:39:01.461602 IP (tos 0x0, ttl 64, id 26626, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xe6f2 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23638888 ecr 2035291245], length 1448
16:39:03.233601 IP (tos 0x0, ttl 64, id 26627, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xe006 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23640660 ecr 2035291245], length 1448
16:39:06.781600 IP (tos 0x0, ttl 64, id 26628, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xd22a (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23644208 ecr 2035291245], length 1448
16:39:13.869615 IP (tos 0x0, ttl 64, id 26629, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xb67a (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23651296 ecr 2035291245], length 1448
16:39:18.060208 IP (tos 0x0, ttl 64, id 26630, offset 0, flags [DF], proto TCP (6), length 100)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [FP.], cksum 0xc03a (correct), seq 2000:2048, ack 1680, win 274, options [nop,nop,TS val 23655486 ecr 2035291245], length 48
16:39:18.080920 IP (tos 0x0, ttl 50, id 10960, offset 0, flags [DF], proto TCP (6), length 64)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x077c (correct), seq 1680, ack 32, win 243, options [nop,nop,TS val 2035309422 ecr 23637310,nop,nop,sack 1 {1480:2049}], length 0
16:39:28.045584 IP (tos 0x0, ttl 64, id 26631, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x3819 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23665472 ecr 2035309422], length 1448
16:39:28.488589 IP (tos 0x0, ttl 64, id 26632, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x365e (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23665915 ecr 2035309422], length 1448
16:39:29.373605 IP (tos 0x0, ttl 64, id 26633, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x32e9 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23666800 ecr 2035309422], length 1448
16:39:31.145612 IP (tos 0x0, ttl 64, id 26634, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x2bfd (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23668572 ecr 2035309422], length 1448
16:39:34.685574 IP (tos 0x0, ttl 64, id 26635, offset 0, flags [DF], proto TCP (6), length 1500)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x1e29 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23672112 ecr 2035309422], length 1448
^C
29 packets captured
29 packets received by filter
0 packets dropped by kernel
4294963701 packets dropped by interface



-> resends package 32:1480 but it never appears on the other side
-> other packages do (send before and after that package)


Router:
Code:

wgs-l13 ~ # tcpdump -i ppp0 -n -vvv 'host 129.217.38.151 and tcp port 5555'
tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
16:39:03.444604 IP (tos 0x0, ttl 55, id 26615, offset 0, flags [DF], proto TCP (6), length 60)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [S], cksum 0xb874 (correct), seq 2341522184, win 29200, options [mss 1460,sackOK,TS val 23637247 ecr 0,nop,wscale 7], length 0
16:39:03.445021 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [S.], cksum 0xa7c1 (correct), seq 1166425740, ack 2341522185, win 28960, options [mss 1460,sackOK,TS val 2035291183 ecr 23637247,nop,wscale 7], length 0
16:39:03.465650 IP (tos 0x0, ttl 55, id 26616, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x46b3 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 0
16:39:03.465697 IP (tos 0x0, ttl 55, id 26617, offset 0, flags [DF], proto TCP (6), length 83)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [P.], cksum 0x112e (correct), seq 1:32, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 31
16:39:03.466301 IP (tos 0x0, ttl 63, id 10953, offset 0, flags [DF], proto TCP (6), length 52)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x4681 (correct), seq 1, ack 32, win 227, options [nop,nop,TS val 2035291204 ecr 23637269], length 0
16:39:03.472032 IP (tos 0x0, ttl 63, id 10954, offset 0, flags [DF], proto TCP (6), length 83)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x10f6 (correct), seq 1:32, ack 32, win 227, options [nop,nop,TS val 2035291210 ecr 23637269], length 31




16:39:03.473080 IP (tos 0x0, ttl 63, id 10956, offset 0, flags [DF], proto TCP (6), length 1492)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x85fd (correct), seq 32:1472, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 1440
16:39:03.473118 IP (tos 0x0, ttl 63, id 10957, offset 0, flags [DF], proto TCP (6), length 60)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x086c (correct), seq 1472:1480, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 8
16:39:03.506759 IP (tos 0x0, ttl 55, id 26618, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x4631 (correct), seq 32, ack 32, win 229, options [nop,nop,TS val 23637310 ecr 2035291210], length 0
16:39:03.506896 IP (tos 0x0, ttl 63, id 10958, offset 0, flags [DF], proto TCP (6), length 252)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x6942 (correct), seq 1480:1680, ack 32, win 227, options [nop,nop,TS val 2035291245 ecr 23637310], length 200
16:39:03.507773 IP (tos 0x0, ttl 55, id 26620, offset 0, flags [DF], proto TCP (6), length 572)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [P.], cksum 0xc213 (correct), seq 1480:2000, ack 32, win 229, options [nop,nop,TS val 23637311 ecr 2035291210], length 520
16:39:03.507885 IP (tos 0x0, ttl 63, id 10959, offset 0, flags [DF], proto TCP (6), length 64)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x4eb5 (correct), seq 1680, ack 32, win 235, options [nop,nop,TS val 2035291246 ecr 23637310,nop,nop,sack 1 {1480:2000}], length 0
16:39:03.530632 IP (tos 0x0, ttl 55, id 26621, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x38ab (correct), seq 2000, ack 1480, win 251, options [nop,nop,TS val 23637333 ecr 2035291211], length 0
16:39:03.595707 IP (tos 0x0, ttl 55, id 26623, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x3768 (correct), seq 2000, ack 1680, win 274, options [nop,nop,TS val 23637399 ecr 2035291245], length 0
16:39:21.684292 IP (tos 0x0, ttl 55, id 26630, offset 0, flags [DF], proto TCP (6), length 100)
    129.217.38.151.49876 > 78.50.73.80.5555: Flags [FP.], cksum 0xc03a (correct), seq 2000:2048, ack 1680, win 274, options [nop,nop,TS val 23655486 ecr 2035291245], length 48
16:39:21.684487 IP (tos 0x0, ttl 63, id 10960, offset 0, flags [DF], proto TCP (6), length 64)
    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x077c (correct), seq 1680, ack 32, win 243, options [nop,nop,TS val 2035309422 ecr 23637310,nop,nop,sack 1 {1480:2049}], length 0
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel



Home Server:
Code:

# tcpdump -i br0 -n -vvv 'host 129.217.38.151 and tcp port 5555'
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:38:59.828490 IP (tos 0x0, ttl 54, id 26615, offset 0, flags [DF], proto TCP (6), length 60)
    129.217.38.151.49876 > 192.168.2.20.5555: Flags [S], cksum 0x8d3a (correct), seq 2341522184, win 29200, options [mss 1460,sackOK,TS val 23637247 ecr 0,nop,wscale 7], length 0
16:38:59.828549 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [S.], cksum 0x6b5b (incorrect -> 0x7c87), seq 1166425740, ack 2341522185, win 28960, options [mss 1460,sackOK,TS val 2035291183 ecr 23637247,nop,wscale 7], length 0
16:38:59.849517 IP (tos 0x0, ttl 54, id 26616, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 192.168.2.20.5555: Flags [.], cksum 0x1b79 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 0
16:38:59.849911 IP (tos 0x0, ttl 54, id 26617, offset 0, flags [DF], proto TCP (6), length 83)
    129.217.38.151.49876 > 192.168.2.20.5555: Flags [P.], cksum 0xe5f3 (correct), seq 1:32, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 31
16:38:59.849930 IP (tos 0x0, ttl 64, id 10953, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x6b53 (incorrect -> 0x1b47), seq 1, ack 32, win 227, options [nop,nop,TS val 2035291204 ecr 23637269], length 0
16:38:59.855731 IP (tos 0x0, ttl 64, id 10954, offset 0, flags [DF], proto TCP (6), length 83)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x6b72 (incorrect -> 0xe5bb), seq 1:32, ack 32, win 227, options [nop,nop,TS val 2035291210 ecr 23637269], length 31

16:38:59.856496 IP (tos 0x0, ttl 64, id 10955, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x70fb (incorrect -> 0x2274), seq 32:1480, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 1448

16:38:59.856749 IP (tos 0x0, ttl 64, id 10956, offset 0, flags [DF], proto TCP (6), length 1492)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x70f3 (incorrect -> 0x5ac3), seq 32:1472, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 1440
16:38:59.856759 IP (tos 0x0, ttl 64, id 10957, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x6b5b (incorrect -> 0xdd31), seq 1472:1480, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 8
16:38:59.890612 IP (tos 0x0, ttl 54, id 26618, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 192.168.2.20.5555: Flags [.], cksum 0x1af7 (correct), seq 32, ack 32, win 229, options [nop,nop,TS val 23637310 ecr 2035291210], length 0
16:38:59.890648 IP (tos 0x0, ttl 64, id 10958, offset 0, flags [DF], proto TCP (6), length 252)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x6c1b (incorrect -> 0x3e08), seq 1480:1680, ack 32, win 227, options [nop,nop,TS val 2035291245 ecr 23637310], length 200
16:38:59.891628 IP (tos 0x0, ttl 54, id 26620, offset 0, flags [DF], proto TCP (6), length 572)
    129.217.38.151.49876 > 192.168.2.20.5555: Flags [P.], cksum 0x96d9 (correct), seq 1480:2000, ack 32, win 229, options [nop,nop,TS val 23637311 ecr 2035291210], length 520
16:38:59.891646 IP (tos 0x0, ttl 64, id 10959, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x6b5f (incorrect -> 0x237b), seq 1680, ack 32, win 235, options [nop,nop,TS val 2035291246 ecr 23637310,nop,nop,sack 1 {1480:2000}], length 0
16:38:59.914502 IP (tos 0x0, ttl 54, id 26621, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 192.168.2.20.5555: Flags [.], cksum 0x0d71 (correct), seq 2000, ack 1480, win 251, options [nop,nop,TS val 23637333 ecr 2035291211], length 0
16:38:59.979557 IP (tos 0x0, ttl 54, id 26623, offset 0, flags [DF], proto TCP (6), length 52)
    129.217.38.151.49876 > 192.168.2.20.5555: Flags [.], cksum 0x0c2e (correct), seq 2000, ack 1680, win 274, options [nop,nop,TS val 23637399 ecr 2035291245], length 0
16:39:18.067875 IP (tos 0x0, ttl 54, id 26630, offset 0, flags [DF], proto TCP (6), length 100)
    129.217.38.151.49876 > 192.168.2.20.5555: Flags [FP.], cksum 0x9500 (correct), seq 2000:2048, ack 1680, win 274, options [nop,nop,TS val 23655486 ecr 2035291245], length 48
16:39:18.067926 IP (tos 0x0, ttl 64, id 10960, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x6b5f (incorrect -> 0xdc41), seq 1680, ack 32, win 243, options [nop,nop,TS val 2035309422 ecr 23637310,nop,nop,sack 1 {1480:2049}], length 0
^C
17 packets captured
17 packets received by filter
0 packets dropped by kernel



Routers Network interfaces:
Code:

wgs-l13 ~ # ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.15  netmask 255.255.255.128  broadcast 192.168.2.128
        inet6 fe80::1012:ff:fe12:3470  prefixlen 64  scopeid 0x20<link>
        ether 12:12:00:12:34:70  txqueuelen 1000  (Ethernet)
        RX packets 1549  bytes 339792 (331.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1536  bytes 399842 (390.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::1012:ff:fe12:3471  prefixlen 64  scopeid 0x20<link>
        ether 12:12:00:12:34:71  txqueuelen 1000  (Ethernet)
        RX packets 1438  bytes 358636 (350.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1226  bytes 305408 (298.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Lokale Schleife)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1492
        inet 78.50.73.80  netmask 255.255.255.255  destination 213.191.89.29
        ppp  txqueuelen 3  (Punkt-zu-Punkt Verbindung)
        RX packets 1250  bytes 318647 (311.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1172  bytes 276690 (270.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



Does anybody has an explanation for this?


Thank you a lot in advance.
Till
_________________
Greetings Till


Last edited by till on Mon May 19, 2014 5:09 pm; edited 3 times in total
Back to top
View user's profile Send private message
till
n00b
n00b


Joined: 19 Sep 2007
Posts: 22

PostPosted: Mon May 19, 2014 4:32 pm    Post subject: Reply with quote

OK, i have observed that the mtu might be a problem, all discarded packages have a length of 1500, but the ppp0 link only has 1492,
but why does it work for some other networks and how can i solve this? shouldn't it automatically break the package up in two peaces or negotiate the max mtu at startup?

Greetings
Till
Back to top
View user's profile Send private message
till
n00b
n00b


Joined: 19 Sep 2007
Posts: 22

PostPosted: Mon May 19, 2014 5:00 pm    Post subject: Reply with quote

after banging my head for whole day i found the solution an hour after writing it down in the gentoo forums ;)

remember: sometimes it is good to write things down in a structured way and to ask a friend ;-)
remember 2: universities have administrators that are <some work you dislike here>. They are disabling Path MTU Discovery for security reasons.....

SOLUTION: MSS Clamping.

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

(see http://lartc.org/howto/lartc.cookbook.mtu-mss.html)
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10157
Location: Somewhere over Atlanta, Georgia

PostPosted: Mon May 19, 2014 5:06 pm    Post subject: Reply with quote

You did mean "packet loss" rather than "package loss", right? Might want to edit your thread title accordingly. ;)

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
till
n00b
n00b


Joined: 19 Sep 2007
Posts: 22

PostPosted: Mon May 19, 2014 5:10 pm    Post subject: Reply with quote

hmm yes, my ebuilds are all there ;)
_________________
Greetings Till
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13505

PostPosted: Mon May 19, 2014 10:30 pm    Post subject: Reply with quote

Since you mentioned this was caused by PMTUD being blocked for unspecified security reasons, I feel obligated to quote part of man iptables-extensions describing the feature you used.
man iptables-extensions wrote:
This target is used to overcome criminally braindead ISPs or servers
which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
packets. The symptoms of this problem are that everything works fine
from your Linux firewall/router, but machines behind it can never
exchange large packets:

1. Web browsers connect, then hang with no data received.

2. Small mail works fine, but large emails hang.

3. ssh works fine, but scp hangs after initial handshaking.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum