Q: MTU and MSS on masquerading.

Q: MTU and MSS on masquerading.

Post by Stanislav N. Rogi » Wed, 09 Aug 2000 04:00:00



I have small fast network seeing Internet through masquerading firewall (i
have only one IP address...)
I have a problem - I could not have normal telnet connection from inside
machines to outside.
Telnet from firewall works normally.
From other machines connections were established, but after some time data
stops and then nothing...

I found that MSS of internal-sourced connection is greater then MTU of outer
interface.

MTU on internal net - 1500
MTU on external inteface (modem) - 296

MSS of telnet connection from firewall - 256
MSS of telnet connection from internal machine - 1440 (and it is right,
because internal machine does not know about masquerading)

Linux firewall just copies the MSS of connection to outside, thus breaking
the RFC rules.

Decreasing MTU on internal net fixes the problem, but I DON'T WANT MTU=296
ON 100 Mbit LAN!

Exloring the ip_masq.c showed the worst - it corrects nothing.

Maybe somebody give me another solution? Or it is needed to be fixed in
kernel?

SY, Sam

 
 
 

Q: MTU and MSS on masquerading.

Post by Clifford Kit » Wed, 09 Aug 2000 04:00:00



Quote:> I have small fast network seeing Internet through masquerading
> firewall (i have only one IP address...)  I have a problem - I could
> not have normal telnet connection from inside machines to outside.
> Telnet from firewall works normally.  From other machines connections
> were established, but after some time data stops and then nothing...
> I found that MSS of internal-sourced connection is greater then
> MTU of outer interface.
> MTU on internal net - 1500
> MTU on external inteface (modem) - 296
> MSS of telnet connection from firewall - 256
> MSS of telnet connection from internal machine - 1440 (and it is
> right, because internal machine does not know about masquerading)

It's not really significant here but I'd expect a 1460 MSS not 1440.

Quote:> Linux firewall just copies the MSS of connection to outside, thus
> breaking the RFC rules.

I'm curious, which RFC defines masquerading (NAT)?

Quote:> Decreasing MTU on internal net fixes the problem, but I DON'T WANT MTU=296
> ON 100 Mbit LAN!

So why is the PPP interface MTU 296?  If there's a "mtu 296" in the
pppd options then remove it and get the 1500 PPP default MTU unless
the ISP is requesting a 296 MRU.  If the ISP is requesting a 296 MRU
then add the pppd option "default-mru" and that should get you the
1500 PPP default MTU.

BTW a small MTU never seemed to me to buy you a whole lot of
improvement in interactive applications.

---


 
 
 

Q: MTU and MSS on masquerading.

Post by Stanislav N. Rogi » Thu, 10 Aug 2000 04:00:00





>> ------------cut-------------------
> > MSS of telnet connection from firewall - 256
> > MSS of telnet connection from internal machine - 1440 (and it is
> > right, because internal machine does not know about masquerading)

> It's not really significant here but I'd expect a 1460 MSS not 1440.

:-) Of course. It was a simple mistype...

Quote:> > Linux firewall just copies the MSS of connection to outside, thus
> > breaking the RFC rules.

> I'm curious, which RFC defines masquerading (NAT)?
> > Decreasing MTU on internal net fixes the problem, but I DON'T WANT
MTU=296
> > ON 100 Mbit LAN!

> So why is the PPP interface MTU 296?  If there's a "mtu 296" in the
> pppd options then remove it and get the 1500 PPP default MTU unless
> the ISP is requesting a 296 MRU.  If the ISP is requesting a 296 MRU
> then add the pppd option "default-mru" and that should get you the
> 1500 PPP default MTU.
> BTW a small MTU never seemed to me to buy you a whole lot of
> improvement in interactive applications.

Of course it is good solution. But my ppp channel has 33600 speed, and it is
wider, then next channel. :-)
If I set MTU 1500, then any heavy FTP connection will almost freeze any
light telnet connection, at least I think so.
It will work, but I will loose flexibility in large number of my interactive
telnet-apps.

Is it better to patch a kernel?

SY, Sam

 
 
 

Q: MTU and MSS on masquerading.

Post by Clifford Kit » Thu, 10 Aug 2000 04:00:00



Quote:> If I set MTU 1500, then any heavy FTP connection will almost freeze
> any light telnet connection, at least I think so.  It will work,
> but I will loose flexibility in large number of my interactive
> telnet-apps.

Yes, a small MTU does help interactive applications a little in the
presence of ftp transfers.

For a single Linux host you could use ncftp-2.4.3 with the patch
ncftp-2.4.2+ltr-1.0 which works with 2.4.2 too.  I think the patch
is somewhere on sunsite (metalab).  Only the machine using it
gets the benefit of reduced ftp transfer though.

You also might look at ip_relay-0.7 which is a perl script, but I
don't know if it's adaptable for multiple machines, even masqueraded
machines.

Quote:> Is it better to patch a kernel?

If you know of a patch, or can make one yourself, then that could be
a solution.  Otherwise AFAIK there is no good solution for restricting
ftp transfers from multiple machines.  IMHO mucking with TOS using
ipchains is not likely to be effective.

--

/* Editing with vi is a lot better than using a huge swiss army knife.
   Use =} to wrap paragraphs in vi.  Or put   map ^] !}fmt -72^M   in
   ~/.exrc and use ^] to wrap to 72 columns or whatever you choose. */