1 |
Am Tue, 20 Sep 2016 05:42:01 -0700 |
2 |
schrieb Grant <emailgrant@×××××.com>: |
3 |
|
4 |
> >> A while back I was having networking issues. I eventually tried |
5 |
> >> drastically lowering the MTU of all the systems onsite and the |
6 |
> >> issues disappeared. I always thought the issue was due to the MTU |
7 |
> >> on our modem/router. Today I read that AT&T DSL requires a 1492 |
8 |
> >> MTU so I increased the MTU of our systems up to 1492 and haven't |
9 |
> >> had any issues. Do certain ISPs require you to change the MTU of |
10 |
> >> your entire network, or is this likely due to our AT&T |
11 |
> >> modem/router itself? |
12 |
> > |
13 |
> > Are you using tunnels or a firewall that blocks related "icmp |
14 |
> > fragmentation needed" packets? |
15 |
> |
16 |
> |
17 |
> I have this in shorewall/rules: |
18 |
> |
19 |
> ACCEPT all all icmp - - - 10/sec:20 |
20 |
> |
21 |
> Which I believe accepts all icmp packets but throttles them to 10/sec |
22 |
> to avoid being flooded. Is that OK? |
23 |
|
24 |
You should probably add a rule before that to let pass all icmp traffic |
25 |
related to active connections. I think this can be done with conntrack |
26 |
or "-m related". I didn't use iptables in a long time so I cannot |
27 |
exactly help you with instructions. |
28 |
|
29 |
On the other hand, you're probably interested in only limiting icmp |
30 |
echo-request. So you may want to stick with that and not limit icmp |
31 |
altogether. ICMP is a very important part of a functional ip stack, you |
32 |
should not play with it before fully understanding the consequences. |
33 |
|
34 |
I don't think it makes too much sense to bother about icmp. In case, |
35 |
icmp is dropped first usually - and limiting it on your interfaces |
36 |
doesn't help at all against flooding (because your provider still |
37 |
delivers it to your router through your downstream, it's too late to |
38 |
do limiting at this stage), it just saves you from maybe replying to all |
39 |
those packets (and thus saves upstream bandwidth which on standard |
40 |
asymmetric lines is ridiculous small compared to the massive |
41 |
downstreams). |
42 |
|
43 |
But again: You really (!) should not limit icmp traffic with such a |
44 |
general rule but instead limit only specific types of icmp (like |
45 |
echo-request), and maybe even block other types completely on the |
46 |
external interface (redirect, source quench, a few others). |
47 |
|
48 |
Most others are important for announcing problems on the packet route - |
49 |
like smaller MTU (path mtu discovery), unreachable destinations etc. |
50 |
Unselectively blocking or limiting them will result in a lot of |
51 |
timeouts and intermittent connection freezes which are hard to |
52 |
understand. |
53 |
|
54 |
http://www.nthelp.com/icmp.html |
55 |
|
56 |
> > Please also try to find out if you're experiencing packet loss. If |
57 |
> > fragmented packets cannot be reassembled due to some packets lost, |
58 |
> > you will probably find connections freezing or going really slow. |
59 |
> |
60 |
> I will watch the output of ifconfig today to see if there are any RX |
61 |
> or TX errors. |
62 |
|
63 |
I almost expect you won't see any numbers there but instead see the |
64 |
counter of your limit rule rise during periods where you see the |
65 |
problems. TX and RX errors only catch layer 1 or layer 2 losses, you |
66 |
are probably experiencing packet loss at or above layer 3 (and I guess |
67 |
due to your limit rule). |
68 |
|
69 |
Maybe run a ping to a destination which you are having problems with, |
70 |
then reproduce the problem (with the network idle otherwise). You should |
71 |
see ping packets dropped only then. |
72 |
|
73 |
You can also ping with increasing packet sizes (see ping --help) and |
74 |
see when the packet becomes too big for path MTU. But instead lowering |
75 |
your MTU then, you should allow icmp-fragmentation-needed come through |
76 |
reliably. Lowering MTU only makes sense to stop overly fragmentation in |
77 |
the first place and optimize for a specific packet path (like traffic |
78 |
through one or multiple VPN tunnels) where fragmentation would |
79 |
otherwise increase latency a lot, or where icmp-frag-needed does not |
80 |
correctly work. |
81 |
|
82 |
-- |
83 |
Regards, |
84 |
Kai |
85 |
|
86 |
Replies to list-only preferred. |