Web browsing problems on LAN through RH7.2 ipchains firewall

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Antony Gelber » Sat, 11 May 2002 22:13:14



Hi,

I am having a few problems with a Red Hat 7.2 firewall running ipchains.

The setup is ISP -> ADSL Router -> Firewall -> Hub (rest of LAN).

The workstations on the LAN are configured to query DNS servers of the ISP,
and the firewall as the default gateway.

The problem is Internet browsing.  Unfortunately I am not on site at the
moment so I can't see the problems for myself, but the users are
complaining of slow connections to some web sites, and even timeouts.  I am
not sure how reproducible the problems are, but I would like to know if
there is anything obviosly wrong with the above setup.

Would things be improved by running squid and/or a caching DNS server on
the firewall?  How can I analyse where the holdup is?  For all
I know, it could be network congestion on their LAN, how can I measure this?

Any help would be very much appreciated, I have just about run out of
ideas...

Tony

 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Karl Heye » Sat, 11 May 2002 22:53:30



> Hi,

> I am having a few problems with a Red Hat 7.2 firewall running ipchains.

> The setup is ISP -> ADSL Router -> Firewall -> Hub (rest of LAN).

> The workstations on the LAN are configured to query DNS servers of the ISP,
> and the firewall as the default gateway.

> The problem is Internet browsing.  Unfortunately I am not on site at the
> moment so I can't see the problems for myself, but the users are
> complaining of slow connections to some web sites, and even timeouts.  I am
> not sure how reproducible the problems are, but I would like to know if
> there is anything obviosly wrong with the above setup.

> Would things be improved by running squid and/or a caching DNS server on
> the firewall?  How can I analyse where the holdup is?  For all
> I know, it could be network congestion on their LAN, how can I measure this?

This is a common problem with ADSL and MTUs. The LAN machines are
configured with a 1500 byte MTU and sends those through the ADSL Router
which has a smaller MTU.  This causing fragmentation which causes a
slowdown or timeouts.

There's a couple of thing to do but which is the magic one depends on
whats running and how it's configured.

Check you firewall settings and make sure certain icmps can get back to
the LAN (Type 3). This is for PMTUD. This is all that should be needed
however.

Another possibility is to reduce the MSS to something lower.  Look on the

http://www.roaringpenguin.com/pppoe/how-to-connect.txt
section 8 and I should be the key

A caching DNS is something I would recommend, as it allows you to
describe you LAN in DNS speak. A proxy on the firewall could remove
this effect as well, as it wouldn't be forwarding between two different
MTU interfaces.

karl.

 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Antony Gelber » Sun, 12 May 2002 00:12:39



> This is a common problem with ADSL and MTUs. The LAN machines are
> configured with a 1500 byte MTU and sends those through the ADSL Router
> which has a smaller MTU.  This causing fragmentation which causes a
> slowdown or timeouts.

> There's a couple of thing to do but which is the magic one depends on
> whats running and how it's configured.

> Check you firewall settings and make sure certain icmps can get back to
> the LAN (Type 3). This is for PMTUD. This is all that should be needed
> however.

> Another possibility is to reduce the MSS to something lower.  Look on the

> http://www.roaringpenguin.com/pppoe/how-to-connect.txt
> section 8 and I should be the key

> A caching DNS is something I would recommend, as it allows you to
> describe you LAN in DNS speak. A proxy on the firewall could remove
> this effect as well, as it wouldn't be forwarding between two different
> MTU interfaces.

> karl.

Thanks Karl, that's a real eye-opener.

Just to clarify my understanding...  The LAN has an MTU of 1500, however
the router's smaller MTU means that the MTU for a communication from the
LAN to the outside world is limited by the router.  Generally speaking, the
MTU must be constant end-to-end.

So the protocol to set this is PMTUD, hence the need for that to get
through the firewall.  Does PMTUD run on a per connection basis, or just
once on host startup?  Does PMTUD override static MTU settings?

I do not fancy setting the MTU on every workstation, and I guess if PMTUD
worked, I wouldn't have to do that?  And if I can't get the firewall to
allow PMTUD through, I should be able to bodge things by changing the MTU
on my LAN hosts.

Is there any way that I can test whether PMTUD is working or not, given the
intermittent nature of the connectivity problems?

Any errors in the above gratefully received...  :)

Antony

 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Karl Heye » Sun, 12 May 2002 03:32:37



> Just to clarify my understanding...  The LAN has an MTU of 1500, however
> the router's smaller MTU means that the MTU for a communication from the
> LAN to the outside world is limited by the router.  Generally speaking, the
> MTU must be constant end-to-end.

There's a static MTU attached to each interface and typically it is
1500 bytes, although it can be less say in the case of ppp (ADSL being
an exmaple of that).  More specifically the optimum MTU for a route is
the smallest MTU along that route.  Up to recently it hasn't been an
issue as most dialup users (one end of a route) were using 1500 or
lower (eg 576) but more recently links such as ADSL (for LANs
specifically) and too strict firewalls cause major problems.

Quote:> So the protocol to set this is PMTUD, hence the need for that to get
> through the firewall.  Does PMTUD run on a per connection basis, or just
> once on host startup?  Does PMTUD override static MTU settings?

Path MTU Discovery is a technique to discover that smallest MTU along
a route, it doesn't change the MTU on your interface. The technique
involves sending a packet as normal with the DF flag set, and if some
hop along the way cannot handle that size packet then an ICMP (type 3
code 4) is sent back. If the client receives the icmp then it
re-transmits using a smaller packet.

The MTU discovered from PMTUD is calculated on a per connection basis,
so a subsequent connection will go through it again.

In the DF set but firewall blocking all icmp case then timouts will
occur if a MTU smaller then the client is involved. In the non DF
case then fragmentation (slow transfers) will occur if a smaller MTU
is required.

Reducing the MTU on the workstation is fine to test the connection.

Quote:> I do not fancy setting the MTU on every workstation, and I guess if PMTUD
> worked, I wouldn't have to do that?  And if I can't get the firewall to
> allow PMTUD through, I should be able to bodge things by changing the MTU
> on my LAN hosts.

There's a couple of issues here, one, the DF flag (needed for PMTUD) may
not be set by the client (workstation) so what happens is your ADSL
router has to do twice as much work, slowing transfers or timing out
the client, two, what MTU size do you set on the workstation, while the
ADSL MTU is over 1400, other hops in a route maybe less.  This can show
up if things like VPNs are involved.

Quote:> Is there any way that I can test whether PMTUD is working or not, given the
> intermittent nature of the connectivity problems?

ping is you best utility. From the workstation use ping, supply the
dont frangent flag and supply a size option. Note that the size is not
including the icmp header (1500 is ping payload 1472 IIRC).

Quote:> Any errors in the above gratefully received...  :)

The best option is to allow icmp type 3 code 4 back to your
workstations through the firewall and have the workstation enable
DF, While the clampMSS option works fine, it only works for TCP (and
it's really a hack).

karl.

 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Berk S. Daemo » Sun, 12 May 2002 17:58:17



Quote:> Hi,

> I am having a few problems with a Red Hat 7.2 firewall running ipchains.

> The setup is ISP -> ADSL Router -> Firewall -> Hub (rest of LAN).

> The workstations on the LAN are configured to query DNS servers of the
ISP,
> and the firewall as the default gateway.

> The problem is Internet browsing.  Unfortunately I am not on site at the
> moment so I can't see the problems for myself, but the users are
> complaining of slow connections to some web sites, and even timeouts.  I
am
> not sure how reproducible the problems are, but I would like to know if
> there is anything obviosly wrong with the above setup.

> Would things be improved by running squid and/or a caching DNS server on
> the firewall?  How can I analyse where the holdup is?  For all
> I know, it could be network congestion on their LAN, how can I measure
this?

> Any help would be very much appreciated, I have just about run out of
> ideas...

> Tony

You're using RedHat as a firewall? Oh damn! Use something more reliable, and
secure.
 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Antony Gelber » Wed, 15 May 2002 09:17:03



Quote:> The best option is to allow icmp type 3 code 4 back to your
> workstations through the firewall and have the workstation enable
> DF, While the clampMSS option works fine, it only works for TCP (and
> it's really a hack).

Thanks Karl.  I could not get PMTUD to work, try as I might.  I checked and
re-checked the firewall rules, and no luck.  Strangely, putting -l on the
relevant rules didn't log any destination-unreachable or
fragmentation-necessary packets.  Anyway, I installed squid, works like a
charm.  :-)

Now, I have a slightly different problem.  Sendmail (which is running on the
firewall) appears to be spawning some "hanging" processes.  Could this be
due to the firewall not being able to handle PMTUD?  Maybe there is another
router out there that can't handle PMTUD, which could be the cause of my
woes.  How can I find out if this is the case, in which case I guess I have
no option but to lower my MTU?

Antony

 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Karl Heye » Wed, 15 May 2002 21:55:28



> Thanks Karl.  I could not get PMTUD to work, try as I might.  I checked and
> re-checked the firewall rules, and no luck.  Strangely, putting -l on the
> relevant rules didn't log any destination-unreachable or
> fragmentation-necessary packets.  Anyway, I installed squid, works like a
> charm.  :-)

installing squid is a work around for web access, it does not actually
solve the problem.

To see the whole PMTUD in operation look into using
tcpdump -n -i ethN icmp
and send a large ping paket from the LAN.  If a

Quote:> Now, I have a slightly different problem.  Sendmail (which is running on the
> firewall) appears to be spawning some "hanging" processes.  Could this be
> due to the firewall not being able to handle PMTUD?  Maybe there is another
> router out there that can't handle PMTUD, which could be the cause of my
> woes.  How can I find out if this is the case, in which case I guess I have
> no option but to lower my MTU?

It's possible, If the ADSL router is a separate piece of equipment then
it could be doing ICMP blocking itself.  This sort of thing is fairly
common as many admins don't think icmp is actually important, but it is.
So it may not actually be your firewall that is causing the problem.

Can you verify if traceroute works for you, maybe try pinging the ISP
servers, then try pinging with a large packet.
By having a tcpdump -n -i (external interface) you should see the icmps
going out and and icmps coming in.

Can you post/email the ifconfig, so that I know what you have
configured.

karl.

 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Antony Gelber » Thu, 16 May 2002 03:47:29



Quote:> To see the whole PMTUD in operation look into using
> tcpdump -n -i ethN icmp
> and send a large ping paket from the LAN.  If a

Karl,

Any chance of finishing this sentence?  Quite crucial...  :)

Antony

 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by Karl Heye » Thu, 16 May 2002 04:16:04





>> To see the whole PMTUD in operation look into using
>> tcpdump -n -i ethN icmp
>> and send a large ping paket from the LAN.  If a

> Karl,

> Any chance of finishing this sentence?  Quite crucial...  :)

sorry about that, getting interrupted...

I was referring to monitoring the packets on the outgoing interface.
The tcpdump will show the packets going out, and there should be
an icmp coming back.  This icmp coming back maybe a icmp reply,
indicating the destination received it and sent something back,
unfragmented but you might instead get a different icmp back indicating
a re-transmission of a smaller size.   If you don't get anything then
that will be

I can talk about the theory but unless you can show us the output
I'm really just fighting in the dark.

As a test on mine, I tried ping -s 1472 www.google.com with tcpdump
running and received the icmps (1500 bytes in size), but I'm not in the
same situation as you as you have a reduced MTU near end.

karl.

 
 
 

Web browsing problems on LAN through RH7.2 ipchains firewall

Post by James Knot » Thu, 16 May 2002 05:13:38



>> To see the whole PMTUD in operation look into using
>> tcpdump -n -i ethN icmp
>> and send a large ping paket from the LAN.  If a

> Karl,

> Any chance of finishing this sentence?  Quite crucial...  :)

Maybe he's having problems getting through his firewall.  ;-)

--

All the facts above are true, except for the ones I made up.


james.knott.

 
 
 

1. How to browse internt thru' LAN's MS proxy server (also serving as firewall)

Hi,

Recently, I installed Redhat Linux 7.0 at my office computer.  Our intranet
uses all Microsoft stuff and all my collegues use windows boxes.

I could manage to connect my linux box to interal LAN successfully (also
could browse the network neighbourhood by using Samba server).  We have DHCP
server on our LAN.  So, I have used DHCP client protocal for my Linux box.  
So during login, I could automatically get private IP address, gateway, IP
address of internal DNS server correctly.  These things I confirmed by
checking relevant configuration files (like /etc/resolv.conf ,
/etc/sysconfig/network ...) in my linux box.

But, I can't get authenticated by our firewall ( ofcouse, in netscape, proxy
server options , I have enterned correct address of our internal firewall &
port). Another thing, I observed, if use "connect thru' proxy server option
in netscape, I can't even surf our INTRANET sites.  But if I change, options
to " direct connection to internet" in Netscape, I could surf the INTRANET
sites.

But same thing, If I do using Winnt system, I could successfully get
authenticated thru' our firewall to browse the internet.

We use MS proxy server 2.0.  Another interesting thing I observated is :  
When I use WINNT system & start IE5.5 for internet browsing, during
authentication process, there are 3 feilds displayed

field#1 : username
field#2 : password
field#3 : domainname

But , When I use my Linux box & start Netscape 4.75, during authentication
process, only first two fields are displayed. I don't know why.  Is this
creating problem..

Could anybody help me, why I am not able connect my Linux box to internet
thru MS proxy server.

thanx in advance.

DJ Rao
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

--
Posted from [203.126.46.174] by way of f224.law9.hotmail.com [64.4.9.224]
via Mailgate.ORG Server - http://www.Mailgate.ORG

2. MOL: Mapping GC at F3000000: Unmapped 'RAM-read-acces',08000000

3. Web browsing problems with ipchains

4. DECNET

5. browsing the web thru a linux gateway

6. New 3D Solaris/XWindows game: BattleBall v1.1

7. Lan Browsing in RH7.1

8. 'find' ?

9. IPCHAINS problem (TrinityOS firewall + Aliased IPs + RH7.0)

10. VPN from Win98 Client thru IPCHAINS+IPMASQ firewall

11. Why does enabling firewall disallow web browsing?

12. browsing web became very slow after IPtables firewall

13. Serving Web Thru Firewall-1