[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some sites don't get through nat

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: Some sites don't get through nat
From: Nick Holland <nick@holland-consulting.net>
Date: Tue, 24 Feb 2004 12:49:38 -0500
References: <20040224172612.GC909@boetes.org>

Han Boetes wrote:
> 
> Hi,
> 
> I noticed this odd problem with http://web.wt.net/~billw/gkrellm/ and
> http://www.snsbank.nl/. Both sites seem to get slowed down by NAT. If I
> connect to them from the firewall there is no connection problem. But
> if I connect to them from _behind_ the firewall there is no connection
> being setup.
> 
> This is what I get from tcpdump:
> 
>   Feb 24 17:39:35.645516 0:c0:26:18:0:2 0:b0:4a:28:a8:1b
>   0800 74: 217.120.147.78.56064 > 194.151.220.32.80:
>   SWE 320099576:320099576(0) win 5840 <mss 1460,sackOK,timestamp
>   38885646 0,nop,wscale 0>
> 
> To make sure it wasn't anything in the firewall I disabled it (except
> for NAT) and restored the default mtu of 1500. Still no
> connection. Does anyone have a clue what's going on here?
> 
> # Han

I spent a lot of time trying to figure out a similar problem at a few
clients, seemingly with recent (>=3.2) OpenBSD versions, not with
earlier versions.  Certain sites, they could not get to, but I had no
problem getting to the same sites from home or from a machine outside
the firewall.  Worse, two sites I had this problem at had NO PROBLEM
with earlier versions of OpenBSD.

Finally figured out that it was an MTU problem -- for reasons I don't
really understand, between the DSL router, the newer OpenBSD and the
systems behind the OpenBSD box, the packets weren't being fragmented
properly.  Reducing the MTU on the external interface solved the
problem nicely.  Why didn't I have the problem at home?  Because I was
running on a cable modem (with an MTU of 1500) but the clients I was
having trouble with were on DSL lines with smaller MTUs.

The sites we were having trouble with, however, involved a certain
amount of "uplink" data -- forms and such.  As long as the uplink data
size was "small", things were working fine.  Not sure that applies to
the sites you mentioned, though I seemed to have no problem getting to
them from here (again).

Nick.
-- 
http://www.holland-consulting.net

Follow-Ups:
- Re: Some sites don't get through nat
  - From: Han Boetes <han@mijncomputer.nl>

References:
- Some sites don't get through nat
  - From: Han Boetes <han@mijncomputer.nl>

Prev by Date: SparcStation 20?
Next by Date: Re: SparcStation 20?
Prev by thread: Some sites don't get through nat
Next by thread: Re: Some sites don't get through nat
Index(es):
- Date
- Thread