| 1 |
Am Tue, 20 Sep 2016 05:42:01 -0700 |
| 2 |
schrieb Grant <emailgrant@×××××.com>: |
| 3 |
|
| 4 |
> >> A while back I was having networking issues. I eventually tried |
| 5 |
> >> drastically lowering the MTU of all the systems onsite and the |
| 6 |
> >> issues disappeared. I always thought the issue was due to the MTU |
| 7 |
> >> on our modem/router. Today I read that AT&T DSL requires a 1492 |
| 8 |
> >> MTU so I increased the MTU of our systems up to 1492 and haven't |
| 9 |
> >> had any issues. Do certain ISPs require you to change the MTU of |
| 10 |
> >> your entire network, or is this likely due to our AT&T |
| 11 |
> >> modem/router itself? |
| 12 |
> > |
| 13 |
> > Are you using tunnels or a firewall that blocks related "icmp |
| 14 |
> > fragmentation needed" packets? |
| 15 |
> |
| 16 |
> |
| 17 |
> I have this in shorewall/rules: |
| 18 |
> |
| 19 |
> ACCEPT all all icmp - - - 10/sec:20 |
| 20 |
> |
| 21 |
> Which I believe accepts all icmp packets but throttles them to 10/sec |
| 22 |
> to avoid being flooded. Is that OK? |
| 23 |
|
| 24 |
You should probably add a rule before that to let pass all icmp traffic |
| 25 |
related to active connections. I think this can be done with conntrack |
| 26 |
or "-m related". I didn't use iptables in a long time so I cannot |
| 27 |
exactly help you with instructions. |
| 28 |
|
| 29 |
On the other hand, you're probably interested in only limiting icmp |
| 30 |
echo-request. So you may want to stick with that and not limit icmp |
| 31 |
altogether. ICMP is a very important part of a functional ip stack, you |
| 32 |
should not play with it before fully understanding the consequences. |
| 33 |
|
| 34 |
I don't think it makes too much sense to bother about icmp. In case, |
| 35 |
icmp is dropped first usually - and limiting it on your interfaces |
| 36 |
doesn't help at all against flooding (because your provider still |
| 37 |
delivers it to your router through your downstream, it's too late to |
| 38 |
do limiting at this stage), it just saves you from maybe replying to all |
| 39 |
those packets (and thus saves upstream bandwidth which on standard |
| 40 |
asymmetric lines is ridiculous small compared to the massive |
| 41 |
downstreams). |
| 42 |
|
| 43 |
But again: You really (!) should not limit icmp traffic with such a |
| 44 |
general rule but instead limit only specific types of icmp (like |
| 45 |
echo-request), and maybe even block other types completely on the |
| 46 |
external interface (redirect, source quench, a few others). |
| 47 |
|
| 48 |
Most others are important for announcing problems on the packet route - |
| 49 |
like smaller MTU (path mtu discovery), unreachable destinations etc. |
| 50 |
Unselectively blocking or limiting them will result in a lot of |
| 51 |
timeouts and intermittent connection freezes which are hard to |
| 52 |
understand. |
| 53 |
|
| 54 |
http://www.nthelp.com/icmp.html |
| 55 |
|
| 56 |
> > Please also try to find out if you're experiencing packet loss. If |
| 57 |
> > fragmented packets cannot be reassembled due to some packets lost, |
| 58 |
> > you will probably find connections freezing or going really slow. |
| 59 |
> |
| 60 |
> I will watch the output of ifconfig today to see if there are any RX |
| 61 |
> or TX errors. |
| 62 |
|
| 63 |
I almost expect you won't see any numbers there but instead see the |
| 64 |
counter of your limit rule rise during periods where you see the |
| 65 |
problems. TX and RX errors only catch layer 1 or layer 2 losses, you |
| 66 |
are probably experiencing packet loss at or above layer 3 (and I guess |
| 67 |
due to your limit rule). |
| 68 |
|
| 69 |
Maybe run a ping to a destination which you are having problems with, |
| 70 |
then reproduce the problem (with the network idle otherwise). You should |
| 71 |
see ping packets dropped only then. |
| 72 |
|
| 73 |
You can also ping with increasing packet sizes (see ping --help) and |
| 74 |
see when the packet becomes too big for path MTU. But instead lowering |
| 75 |
your MTU then, you should allow icmp-fragmentation-needed come through |
| 76 |
reliably. Lowering MTU only makes sense to stop overly fragmentation in |
| 77 |
the first place and optimize for a specific packet path (like traffic |
| 78 |
through one or multiple VPN tunnels) where fragmentation would |
| 79 |
otherwise increase latency a lot, or where icmp-frag-needed does not |
| 80 |
correctly work. |
| 81 |
|
| 82 |
-- |
| 83 |
Regards, |
| 84 |
Kai |
| 85 |
|
| 86 |
Replies to list-only preferred. |
Archives