1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 01/11/14 03:24, Mick wrote: |
5 |
> On Friday 10 Jan 2014 19:42:37 Kerin Millar wrote: |
6 |
>> the wrote: |
7 |
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |
8 |
>>> |
9 |
>>> Hello. This is the the first time I'm dealing with wifi and the |
10 |
>>> second time with NAT. I have a server (access point) with a |
11 |
>>> ppp0 interface (internet), eth0, wlan0, tun0 and sit0. A dhcp |
12 |
>>> server is listening on wlan0 and provides local ip addresses, |
13 |
>>> dns (= my isp dns) and router (= server wlan0 ip address). Nat |
14 |
>>> is configured on the server like this: # Generated by |
15 |
>>> iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 *raw |
16 |
>>> |
17 |
>>> :PREROUTING ACCEPT [1000941:974106726] :OUTPUT ACCEPT |
18 |
>>> [775261:165606146] |
19 |
>>> |
20 |
>>> COMMIT # Completed on Fri Jan 10 21:34:26 2014 # Generated by |
21 |
>>> iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 *nat |
22 |
>>> |
23 |
>>> :PREROUTING ACCEPT [888:45008] :INPUT ACCEPT [63:9590] :OUTPUT |
24 |
>>> ACCEPT [442:27137] :POSTROUTING ACCEPT [36:1728] |
25 |
>>> |
26 |
>>> - -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT # Completed on |
27 |
>>> Fri Jan 10 21:34:26 2014 # Generated by iptables-save v1.4.20 |
28 |
>>> on Fri Jan 10 21:34:26 2014 *mangle |
29 |
>>> |
30 |
>>> :PREROUTING ACCEPT [1000941:974106726] :INPUT ACCEPT |
31 |
>>> [951658:947497602] :FORWARD ACCEPT [39262:26279024] :OUTPUT |
32 |
>>> ACCEPT [775261:165606146] :POSTROUTING ACCEPT |
33 |
>>> [814621:191890787] |
34 |
>>> |
35 |
>>> COMMIT # Completed on Fri Jan 10 21:34:26 2014 # Generated by |
36 |
>>> iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 *filter |
37 |
>>> |
38 |
>>> :INPUT ACCEPT [371:35432] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT |
39 |
>>> [33994:3725352] |
40 |
>>> |
41 |
>>> - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A |
42 |
>>> FORWARD -i wlan0 -o ppp0 -j ACCEPT - -A FORWARD -i ppp0 -o |
43 |
>>> wlan0 -j ACCEPT - -A FORWARD -i eth0 -j DROP - -A FORWARD -i |
44 |
>>> tun0 -j DROP COMMIT # Completed on Fri Jan 10 21:34:26 2014 I |
45 |
>>> have a client that connects to my wifi, obtains an address via |
46 |
>>> dhcp and ... can't acces almost all of internet sites. I was |
47 |
>>> able to ping any web service I could think of, but I was able |
48 |
>>> to use only google/youtube. I can do text/ image serches on |
49 |
>>> google and can open youtube(but videos aren't loading). On |
50 |
>>> other services wget says connection established, but it can't |
51 |
>>> retrieve anything. if I ssh to an external server (not my nat |
52 |
>>> server) I can ls, but if I try to ls - -alh I receive only a |
53 |
>>> half of the files list and the terminal hangs after that. If I |
54 |
>>> do $python -m http.server on my server I can do file transfers |
55 |
>>> and open html pages on my client. I have tried this |
56 |
>>> https://wiki.archlinux.org/index.php/Software_Access_Point#WLAN_is_very_s |
57 |
>>> |
58 |
>>> |
59 |
low |
60 |
>>> |
61 |
>>> Also I have tried to insert LOG target in FORWARD of filter. It |
62 |
>>> showed that I send way more pakets(>10) to a http server than |
63 |
>>> I receive(~2-4). The client is fine and behaves normally with |
64 |
>>> wifi, used it many times. Thanks for your time. |
65 |
>> |
66 |
>> It's probable that you need to make use of MSS clamping. Try the |
67 |
>> following rule: |
68 |
>> |
69 |
>> iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN |
70 |
>> -j TCPMSS --clamp-mss-to-pmtu |
71 |
>> |
72 |
>> --Kerin |
73 |
> |
74 |
> This explains it: |
75 |
> |
76 |
> http://lartc.org/howto/lartc.cookbook.mtu-mss.html |
77 |
> |
78 |
> Is there a router somewhere (your ISP?) that does not play nice |
79 |
> with PMTU Discovery? What happens if you set your ifaces to have |
80 |
> an mtu or 1492 (needed to accomodate your PPPoE headers) or even |
81 |
> lower like 1440, or 1380? |
82 |
|
83 |
Thanks you Kerin, Mick! It works like a charm. Indeed: |
84 |
|
85 |
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492 |
86 |
|
87 |
So do I understand correctly that field of size 1500 - 1492 is |
88 |
reserved for pppoe stuff? |
89 |
Will it also work if I set a smaller mtu in my wlan like |
90 |
1400 (assuming that the smallest mtu on the path is not less than 1400)? |
91 |
-----BEGIN PGP SIGNATURE----- |
92 |
Version: GnuPG v2.0.22 (GNU/Linux) |
93 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
94 |
|
95 |
iQEcBAEBAgAGBQJS0QWKAAoJEK64IL1uI2haA1sIAJNWQMRy237bStiLQcxzLzc4 |
96 |
8wWjQUt2wf3tHokTCIRLYuPClYiWg1yKnB7Nh1/SKZ3kpN6cGSvKG0qmWmz2g78W |
97 |
nrPZ/7QrADmBA00n3Zem8HGR4im+Uo83AWYNKwrr6SfBr2Ju1hjEDXSspTkZcLPp |
98 |
22lNK0OaA/lRBusdc/2lg7ALK3YwInGSvlq95eLK6V86ADzcardu1+nn5erv1JJW |
99 |
4OzgaQITe4dKREoeqHEyAJEdxh2xCKP9f7aaTulvS0WccD3ws1jd1b2w1Fjb6tYI |
100 |
Ez068tGhc+GdTlGRbpG5rGqviEYfUuvHIyfAc8/PBAx9nSHYISJEom88VQN7Mqc= |
101 |
=op4W |
102 |
-----END PGP SIGNATURE----- |