Odd Masq/NAT problem under 2.4.22

I'm trying to bring up a linxufromscratch server as a replacement for an old, much-patched Caldera
box. This system will do a number of things, but mostly it will act as a firewall/router for a
private 192.168.1.x network.

I'm running into problems getting NAT/masquerading to work. I've compiled every netfilter option
into the kernel (except for ipchains and ipfwadm stuff), turned on forwarding in /proc/..., etc.,
and the system >>almost<< works. But not quite.

When I try to access the internet from a private network client, here's what happens:

1) I can do bind lookups, no problem

2) I can ping anything I want on my intranet or the internet without any problems

3) I can ftp to an internet site and browse directorires (I didn't try downloading anything)

but browser/http access is either non-existent or very, very, very slow (and this is over a DSL
connection which, using the old firewall/router was very, very fast). Interesting, the browser can
"resolve" the site (i.e., it says "opening www.somesite.com..."), but the actual loading is very
slow or never happens.

I realize this is pretty sketchy information, but does it strike a bell with anyone? Any ideas as to
how I can fix this problem?

Thanx in advance!

- Mark

Mark Olbert <(E-Mail Removed)> wrote:

[...]
> When I try to access the internet from a private network client, here's
> what happens:
>
> 1) I can do bind lookups, no problem
>
> 2) I can ping anything I want on my intranet or the internet without any
> problems
>
> 3) I can ftp to an internet site and browse directorires (I didn't try
> downloading anything)
>
> but browser/http access is either non-existent or very, very, very slow
> (and this is over a DSL connection which, using the old firewall/router
> was very, very fast). Interesting, the browser can "resolve" the site
> (i.e., it says "opening www.somesite.com..."), but the actual loading is
> very slow or never happens.
>
> I realize this is pretty sketchy information, but does it strike a bell
> with anyone? Any ideas as to how I can fix this problem?

Are you deploying the same packet filter rules as before?
Do you get any errors/warnings when the packet filter script
is run?
Are you deploying a web proxy on the router?
Download via ftp a file or fetch a bulk of nntp news to verify
whether these protocols are also slowed down or not.
Do you have increasing error counters on the router's interfaces
(use ifconfig)?
Check whether surfing from the router itself is fast as usual.

Your problem could be a Path MTU Discovery (PMTUD) problem.
However not all websites should show this problem. So try a
few others and check whether there is a difference.

For verifying whether it is a PMTUD problem you could also try
to reduce the MTU size of the client's and the router's internal
interface to, say 1400 bytes and try again. Or you use the
clamp-mss-to-pmtu Option with iptables for the outgoing
connections.

If you use a web proxy on the router to access the web, check
whether the router has ECN enabled. If yes, switch if off
echo "0" > /proc/sys/net/ipv4/tcp_ecn

If none of the above shed some light on your problem, then I
think it would be best to capture traffic with tcpdump on
the internal and external interfaces at the same time while
you are surfing from the client.

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

On Fri, 16 Jan 2004 20:05:12 -0800, Mark Olbert wrote:

> I'm trying to bring up a linxufromscratch server as a replacement for an old, much-patched Caldera
> box. This system will do a number of things, but mostly it will act as a firewall/router for a
> private 192.168.1.x network.
>
> I'm running into problems getting NAT/masquerading to work. I've compiled every netfilter option
> into the kernel (except for ipchains and ipfwadm stuff), turned on forwarding in /proc/..., etc.,
> and the system >>almost<< works. But not quite.
>
> When I try to access the internet from a private network client, here's what happens:
>
> 1) I can do bind lookups, no problem
>
> 2) I can ping anything I want on my intranet or the internet without any problems
>
> 3) I can ftp to an internet site and browse directorires (I didn't try downloading anything)
>
> but browser/http access is either non-existent or very, very, very slow (and this is over a DSL
> connection which, using the old firewall/router was very, very fast). Interesting, the browser can
> "resolve" the site (i.e., it says "opening www.somesite.com..."), but the actual loading is very
> slow or never happens.
>
> I realize this is pretty sketchy information, but does it strike a bell with anyone? Any ideas as to
> how I can fix this problem?
>
> Thanx in advance!
>
> - Mark

I had similar problem. One way to kludge it is to ping the router from
client in the background, 'ping your.router > /dev/null 2>&1 &'. I don ot
know how and why it overcomes the slowness, but it worked for me.

--
Charlie Kim
private.php?do=newpm&u=



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----