WAN connection through a Linux machine
Dan Shimshoni
danshimsh at gmail.com
Tue Apr 20 14:18:04 IDT 2010
ok, now this is more clear.
But is this problem specific to this scenario?
I mean, when I use a single machine to connect directly to the
internet via bezeq ADSL , without running any iptables rules at all,
using PPPOE , I should have the same problem, don't I ?
Is there a solution in this case ? (remember, I cannot use this
iptables "clamp-mss-to-pmtu"option as in this scenario in fact I do
not use iptables at all).
Second, ifconfig ppp0 shows that the mtu is 1492.
DS
On Tue, Apr 20, 2010 at 1:56 PM, Shachar Shemesh <shachar at shemesh.biz> wrote:
> Dan Shimshoni wrote:
>
> shachar,
> I googled for "MSS Squashing". Got 0 results!
>
> What is this "MSS Squashing"? and how is it related to this issue?
>
> rgs,
> DS
>
>
>
>
> The term used in the iptables man page is "clamp-mss-to-pmtu"
>
> The ethernet maximal transfer unit (MTU) is 1500 bytes (more or less, but in
> practice, this is the default). Since pppoe has some overhead, the effective
> MTU on ppp0 is lower (about 1470 bytes). Packets sent out by your machine B
> broadcast the desired packet length on the return path through a TCP option
> called MSS (maximal segment size).
>
> Theoretically, TCP will figure out on its own that the path MTU (PMTU) is
> lower than the end MTU as advertised by the MSS. This has two disadvantages:
> 1. It has worse performance than advertising the correct number in the MSS
> to begin with
> 2. Some firewalls block the ICMP message used to report this case (code 3
> type 4 - "fragmentation needed but don't fragment set"). As a result, you
> get "black hole" syndrom.
>
> The solution is to have iptables alter the MSS field of the TCP option to
> the value it knows is correct.
>
> Shachar
>
> --
> Shachar Shemesh
> Lingnu Open Source Consulting Ltd.
> http://www.lingnu.com
>
More information about the Linux-il
mailing list