Date: Thu, 2 Nov 2000 23:46:28 -0800 From: "Timothy L. Robertson" <timothyr@timothyr.com> To: <freebsd-stable@freebsd.org> Subject: Flaky IP Connection Message-ID: <NEBBKDBFKKIDPAPJPFOPEEOECGAA.timothyr@timothyr.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Everyone,
I've been having problems with my PPPoE connection. It works fine
most of the time, but sometimes connections hang. On repeatable time
seems to be when I cvsup, but it also seems to hang when sendmail
exchanges certain messages with my ISP's SMTP server. I've found
that this icmp packet, which shows up when connections hang, seems to
suggest
the problem:
tcpdump -vvv -X -i tun0 -s 2000 icmp
tcpdump: listening on tun0
20:06:30.673201 165.247.202.104 > 165.247.202.104: icmp:
165.247.202.104 unreachable - need to frag (mtu 1480) for
165.247.202.104.iad2 > 165.247.202.104.cvsup: [|tcp] (DF) (ttl 64, id
1920, bad cksum 0!) (ttl 255, id 1921)
0x0000 4500 0038 0781 0000 ff01 d383 a5f7 ca68 E..8...........h
0x0010 a5f7 ca68 0304 7dc7 0000 05c8 4500 05dc ...h..}.....E...
0x0020 0780 4000 4006 0000 a5f7 ca68 a5f7 ca68 ..@.@......h...h
0x0030 0407 176f 150c 95c6
This confuses me a little, because my MTUs are set to 1492, not 1480:
bash-2.03$ ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1492
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::202:b3ff:fe03:aae1%fxp0 prefixlen 64 scopeid 0x1
ether 00:02:b3:03:aa:e1
media: autoselect (100baseTX) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX
10baseT/UTP <full-duplex> 10baseT/UTP
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1492
inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::201:2ff:fe48:ad91%xl0 prefixlen 64 scopeid 0x2
ether 00:01:02:48:ad:91
media: 10baseT/UTP (10baseT/UTP <half-duplex>)
supported media: 10baseT/UTP <full-duplex> 10baseT/UTP
<half-duplex> 10baseT/UTP
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8000<MULTICAST> mtu 1500
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1492
inet6 fe80::202:b3ff:fe03:aae1%tun0 --> :: prefixlen 64
scopeid 0xc
inet 165.247.202.104 --> 165.247.202.1 netmask 0xffffffff
Opened by PID 107
My best guess about what's happening is that sometimes a packet of
length > 1480 bytes gets sent out, somehow gets diverted back to my
own interface (by NAT or ipfw?) and then gets stuck by this 1480 MTU. Is
this
a bug or do I have something misconfigured? Why does tcpdump report a
different MTU than ifconfig? Any help appreciated.
Thanks,
- -Tim
timothyr@timothyr.com
More Info:
scarlet:~<538> uname -a
FreeBSD scarlet.timothyr.net 4.1.1-STABLE FreeBSD 4.1.1-STABLE #0: Sat Oct
21
00:16:25 PDT 2000
timothyr@scarlet.timothyr.net:/usr/obj/usr/src/sys/DSLROUTE i386
scarlet:/etc/firewall<540> cat fwrules
# Firewall rules
# Written by Marc Silver (marcs@draenor.org)
# http://draenor.org/ipfw
# Freely distributable
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via tun0
# Allow all data from my network card and localhost. Make sure you
# change your network card (mine was fxp0) before you reboot. :)
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via fxp0
$fwcmd add pass all from any to any frag
# Allow ICMP (for ping and traceroute to work). You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add allow icmp from any to any
#Debug Open Firewall
#$fwcmd add allow ip from any to any
##$fwcmd add allow udp from any to any
# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit tun0 setup
# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via tun0 established
# Everyone on the internet is allowed to connect to the following
# services on the machine. This example shows that people may connect
# to ssh and apache.
#$fwcmd add allow tcp from any to any 80 setup #http
$fwcmd add allow tcp from any to any 22 setup #ssh
$fwcmd add allow tcp from any to any 25 setup #sendmail
$fwcmd add allow tcp from any to any 110 setup #pop3
$fwcmd add allow tcp from any to any 5999 #cvsup
$fwcmd add allow udp from any to any 123 #ntpd
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to any 113 in recv tun0
# Allow outgoing DNS queries ONLY to the specified servers.
$fwcmd add allow udp from any to 207.69.188.185 53 out xmit tun0
$fwcmd add allow udp from any to 207.69.188.186 53 out xmit tun0
$fwcmd add allow udp from any to 207.69.188.187 53 out xmit tun0
# Root Servers
$fwcmd add allow udp from any to 198.41.0.4 53 out xmit tun0
$fwcmd add allow udp from any to 128.9.0.107 53 out xmit tun0
$fwcmd add allow udp from any to 192.33.4.12 53 out xmit tun0
$fwcmd add allow udp from any to 128.8.10.90 53 out xmit tun0
$fwcmd add allow udp from any to 192.203.230.10 53 out xmit tun0
$fwcmd add allow udp from any to 192.5.5.241 53 out xmit tun0
$fwcmd add allow udp from any to 192.112.36.4 53 out xmit tun0
$fwcmd add allow udp from any to 128.63.2.53 53 out xmit tun0
$fwcmd add allow udp from any to 192.36.148.17 53 out xmit tun0
$fwcmd add allow udp from any to 198.41.0.10 53 out xmit tun0
$fwcmd add allow udp from any to 193.0.14.129 53 out xmit tun0
$fwcmd add allow udp from any to 198.32.64.12 53 out xmit tun0
$fwcmd add allow udp from any to 202.12.27.33 53 out xmit tun0
# Allow them back in with the answers... :)
$fwcmd add allow udp from 207.69.188.185 53 to any in recv tun0
$fwcmd add allow udp from 207.69.188.186 53 to any in recv tun0
$fwcmd add allow udp from 207.69.188.187 53 to any in recv tun0
# Root Servers
$fwcmd add allow udp from 198.41.0.4 53 to any in recv tun0
$fwcmd add allow udp from 128.9.0.107 53 to any in recv tun0
$fwcmd add allow udp from 192.33.4.12 53 to any in recv tun0
$fwcmd add allow udp from 128.8.10.90 53 to any in recv tun0
$fwcmd add allow udp from 192.203.230.10 53 to any in recv tun0
$fwcmd add allow udp from 192.5.5.241 53 to any in recv tun0
$fwcmd add allow udp from 192.112.36.4 53 to any in recv tun0
$fwcmd add allow udp from 128.63.2.53 53 to any in recv tun0
$fwcmd add allow udp from 192.36.148.17 53 to any in recv tun0
$fwcmd add allow udp from 198.41.0.10 53 to any in recv tun0
$fwcmd add allow udp from 193.0.14.129 53 to any in recv tun0
$fwcmd add allow udp from 198.32.64.12 53 to any in recv tun0
$fwcmd add allow udp from 202.12.27.33 53 to any in recv tun0
# Deny all the rest.
$fwcmd add 65435 deny log ip from any to any
scarlet:~<505> cat /etc/rc.conf
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.
network_interfaces="auto"
ifconfig_xl0="inet 10.0.0.2 netmask 255.255.255.0 mtu 1492"
ifconfig_fxp0="inet 192.168.1.1 netmask 255.255.255.0 mtu 1492"
#ifconfig_ep0="inet 10.0.0.2 netmask 255.255.255.0 mtu 1492"
#ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0 mtu 1462"
hostname="scarlet.timothyr.net"
named_enable="YES"
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="pppoe"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/firewall/fwrules"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic"
tcp_extensions="NO"
linux_enable="YES"
check_quotas="NO"
moused_type="auto"
moused_enable="YES"
xntpd_enable="YES" # Run ntpd Network Time Protocol (or NO).
xntpd_program="ntpd" # path to ntpd, if you want a different one.
xntpd_flags="-p /var/run/ntpd.pid" # Flags to ntpd (if enabled).
dhcpd_enable="YES"
dhcpd_flags="fxp0 -cf /etc/dhcpd.conf -q"
#snort_enable="YES"
#snort_flags="-Ds -A full -l /usr/local/snortlog -c
/usr/local/share/snort/snort-lib -i tun0"
# -- sysinstall generated deltas -- #
sshd_enable="YES"
# -- sysinstall generated deltas -- #
moused_enable="YES"
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>;
iQA/AwUBOgJtTxJDu7xQsK72EQIaGACdGo4H/T/62CHYlIdVJtusSuj0eHoAn2yn
cp5+8o2VRmmnOagZGiEP3h3w
=/H/f
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBKDBFKKIDPAPJPFOPEEOECGAA.timothyr>