1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 01/11/14 12:49, the wrote: |
5 |
> On 01/11/14 03:24, Mick wrote: |
6 |
>> On Friday 10 Jan 2014 19:42:37 Kerin Millar wrote: |
7 |
>>> the wrote: |
8 |
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |
9 |
>>>> |
10 |
>>>> Hello. This is the the first time I'm dealing with wifi and |
11 |
>>>> the second time with NAT. I have a server (access point) with |
12 |
>>>> a ppp0 interface (internet), eth0, wlan0, tun0 and sit0. A |
13 |
>>>> dhcp server is listening on wlan0 and provides local ip |
14 |
>>>> addresses, dns (= my isp dns) and router (= server wlan0 ip |
15 |
>>>> address). Nat is configured on the server like this: # |
16 |
>>>> Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 |
17 |
>>>> 2014 *raw |
18 |
>>>> |
19 |
>>>> :PREROUTING ACCEPT [1000941:974106726] :OUTPUT ACCEPT |
20 |
>>>> [775261:165606146] |
21 |
>>>> |
22 |
>>>> COMMIT # Completed on Fri Jan 10 21:34:26 2014 # Generated |
23 |
>>>> by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 *nat |
24 |
>>>> |
25 |
>>>> :PREROUTING ACCEPT [888:45008] :INPUT ACCEPT [63:9590] |
26 |
>>>> :OUTPUT ACCEPT [442:27137] :POSTROUTING ACCEPT [36:1728] |
27 |
>>>> |
28 |
>>>> - -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT # Completed on |
29 |
>>>> Fri Jan 10 21:34:26 2014 # Generated by iptables-save |
30 |
>>>> v1.4.20 on Fri Jan 10 21:34:26 2014 *mangle |
31 |
>>>> |
32 |
>>>> :PREROUTING ACCEPT [1000941:974106726] :INPUT ACCEPT |
33 |
>>>> [951658:947497602] :FORWARD ACCEPT [39262:26279024] :OUTPUT |
34 |
>>>> ACCEPT [775261:165606146] :POSTROUTING ACCEPT |
35 |
>>>> [814621:191890787] |
36 |
>>>> |
37 |
>>>> COMMIT # Completed on Fri Jan 10 21:34:26 2014 # Generated |
38 |
>>>> by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 *filter |
39 |
>>>> |
40 |
>>>> :INPUT ACCEPT [371:35432] :FORWARD ACCEPT [0:0] :OUTPUT |
41 |
>>>> ACCEPT [33994:3725352] |
42 |
>>>> |
43 |
>>>> - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - |
44 |
>>>> -A FORWARD -i wlan0 -o ppp0 -j ACCEPT - -A FORWARD -i ppp0 |
45 |
>>>> -o wlan0 -j ACCEPT - -A FORWARD -i eth0 -j DROP - -A FORWARD |
46 |
>>>> -i tun0 -j DROP COMMIT # Completed on Fri Jan 10 21:34:26 |
47 |
>>>> 2014 I have a client that connects to my wifi, obtains an |
48 |
>>>> address via dhcp and ... can't acces almost all of internet |
49 |
>>>> sites. I was able to ping any web service I could think of, |
50 |
>>>> but I was able to use only google/youtube. I can do text/ |
51 |
>>>> image serches on google and can open youtube(but videos |
52 |
>>>> aren't loading). On other services wget says connection |
53 |
>>>> established, but it can't retrieve anything. if I ssh to an |
54 |
>>>> external server (not my nat server) I can ls, but if I try to |
55 |
>>>> ls - -alh I receive only a half of the files list and the |
56 |
>>>> terminal hangs after that. If I do $python -m http.server on |
57 |
>>>> my server I can do file transfers and open html pages on my |
58 |
>>>> client. I have tried this |
59 |
>>>> https://wiki.archlinux.org/index.php/Software_Access_Point#WLAN_is_very_s |
60 |
>>>> |
61 |
>>>> |
62 |
> |
63 |
>>>> |
64 |
low |
65 |
>>>> |
66 |
>>>> Also I have tried to insert LOG target in FORWARD of filter. |
67 |
>>>> It showed that I send way more pakets(>10) to a http server |
68 |
>>>> than I receive(~2-4). The client is fine and behaves normally |
69 |
>>>> with wifi, used it many times. Thanks for your time. |
70 |
>>> |
71 |
>>> It's probable that you need to make use of MSS clamping. Try |
72 |
>>> the following rule: |
73 |
>>> |
74 |
>>> iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST |
75 |
>>> SYN -j TCPMSS --clamp-mss-to-pmtu |
76 |
>>> |
77 |
>>> --Kerin |
78 |
> |
79 |
>> This explains it: |
80 |
> |
81 |
>> http://lartc.org/howto/lartc.cookbook.mtu-mss.html |
82 |
> |
83 |
>> Is there a router somewhere (your ISP?) that does not play nice |
84 |
>> with PMTU Discovery? What happens if you set your ifaces to |
85 |
>> have an mtu or 1492 (needed to accomodate your PPPoE headers) or |
86 |
>> even lower like 1440, or 1380? |
87 |
> |
88 |
> Thanks you Kerin, Mick! It works like a charm. Indeed: |
89 |
> |
90 |
> ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492 |
91 |
> |
92 |
> So do I understand correctly that field of size 1500 - 1492 is |
93 |
> reserved for pppoe stuff? Will it also work if I set a smaller mtu |
94 |
> in my wlan like 1400 (assuming that the smallest mtu on the path is |
95 |
> not less than 1400)? |
96 |
|
97 |
Also |
98 |
"Besides MTU, there is yet another way to set the maximum packet size, |
99 |
the so called Maximum Segment Size. This is a field in the TCP Options |
100 |
part of a SYN packet." |
101 |
|
102 |
Does this mean that even with this iptables rule I'll have problems |
103 |
with udp packets? |
104 |
-----BEGIN PGP SIGNATURE----- |
105 |
Version: GnuPG v2.0.22 (GNU/Linux) |
106 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
107 |
|
108 |
iQEcBAEBAgAGBQJS0QjTAAoJEK64IL1uI2ha8hMH/Ag7Xvqso/dU3FKLZ03Lkg7v |
109 |
NcRXFuaFp7zF8UG9e1qkmQebLekys3b2+/9IQc7MuNBoeomuBFlkYrqRj+BmVW7G |
110 |
5e/LudUfOTkzDLRYPqnFjPjNuwpwvY4Qm+eZ4WE5CsnKAJCE1kVIqZbdUDwinx5/ |
111 |
q6oPnF1upTqvdDnVDwAoo1GFBZDSFQQqTHDtm8Zpe1Im3bydjeqswxVLXuarliQv |
112 |
Yu9YpjkBBg/SFsvY+gkU3UyhwnFGKlcHRmaYF2bk6+7G+rj9RiRt6Zv0WVIpbGpJ |
113 |
rS+9B3HZ5uw9UDH2Mn7WFsw/mhwulWKN5iwa9P3NvsjJUfS9miYW6E+BB9FNo4A= |
114 |
=CfeT |
115 |
-----END PGP SIGNATURE----- |