Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Sep 2001 17:22:45 -0600 (MDT)
From:      ken@kdm.org
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/30775: natd doesn't work with Path MTU discovery
Message-ID:  <200109232322.RAA04727@panzer.kdm.org>
next in thread | raw e-mail | index | archive | help 

>Number:         30775
>Category:       kern
>Synopsis:       natd doesn't work with Path MTU discovery
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 23 16:30:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Kenneth D. Merry
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
KDM Enterprises
>Environment:

A 4.4-stable (or most any other version of FreeBSD) box with two nics.  One
is on the 'external' net, one on the internal net (with RFC 1918
addresses).

ipfw and natd are configured to provide NAT functionality.

>Description:

natd doesn't handle need-to-frag ICMP packets coming back from the router,
so the machine behind the NAT box doesn't know that it needs to reduce the
route MTU for a given site.

>How-To-Repeat:

Crank up tcpdump on the NAT box and a machine behind the NAT.

At least in my case, go to www.schwab.com using a web browser on a machine
behind the NAT, and watch the tcpdump output.  I see ICMP need-to-frag
packets coming back into the NAT box on the external interface, but they
aren't sent back to the machine behind the NAT box.

The problem with www.schwab.com may or may not be reproducible, depening on
whether the problem is closer to me or closer to schwab.

In any case, natd should handle ICMP need to frag packets, since TCP Path
MTU discovery doesn't work without them.

>Fix:

potential work-arounds:

Run an application proxy server on a machine that isn't behind natd.

Run the application on a machine that isn't behind natd.

Investigate whether ipfilter's NAT code can handle path MTU discovery.

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109232322.RAA04727>