strange routing (NAT?) issues

Hello group.

First things first, here are the settings of my router/server:

## Inteface settings
thor linux # ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000
link/ether 00:e0:81:b3:35:46 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000
link/ether 00:e0:81:b3:35:46 brd ff:ff:ff:ff:ff:ff
4: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 00:e0:81:b3:35:46 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.10/24 brd 192.168.10.255 scope global bond0
inet6 fe80::2e0:81ff:feb3:3546/64 scope link tentative
valid_lft forever preferred_lft forever
5: vlan2@bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 00:e0:81:b3:35:46 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global vlan2
inet6 fe80::2e0:81ff:feb3:3546/64 scope link tentative
valid_lft forever preferred_lft forever
6: vlan3@bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 00:e0:81:b3:35:46 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global vlan3
inet6 fe80::2e0:81ff:feb3:3546/64 scope link tentative
valid_lft forever preferred_lft forever
7: vlan256@bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 00:e0:81:b3:35:46 brd ff:ff:ff:ff:ff:ff
inet6 fe80::2e0:81ff:feb3:3546/64 scope link tentative
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 192.168.22.1 peer 192.168.22.2/32 scope global tun0
15: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
inet 88.217.41.111 peer 82.135.16.28/32 scope global ppp0

## Route settings
thor linux # ip route show
82.135.16.28 dev ppp0 proto kernel scope link src 88.217.41.111
192.168.22.2 dev tun0 proto kernel scope link src 192.168.22.1
192.168.22.0/24 via 192.168.22.2 dev tun0
192.168.3.0/24 dev vlan3 proto kernel scope link src 192.168.3.1
192.168.2.0/24 dev vlan2 proto kernel scope link src 192.168.2.1
192.168.10.0/24 dev bond0 proto kernel scope link src 192.168.10.10
127.0.0.0/8 dev lo scope link
default via 82.135.16.28 dev ppp0

## filter iptables
thor linux # iptables -L -v -t filter
Chain INPUT (policy ACCEPT 24M packets, 29G bytes)
pkts bytes target prot opt in out source destination

1555K 1033M ACCEPT all -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED
366 26329 ACCEPT icmp -- ppp0 any anywhere anywhere
1632 97804 ACCEPT tcp -- ppp0 any anywhere anywhere tcp dpt:ssh
2 84 ACCEPT udp -- ppp0 any anywhere anywhere udp dptpenvpn
0 0 ACCEPT tcp -- ppp0 any anywhere anywhere tcp dptpenvpn
5076 465K ACCEPT udp -- ppp0 any anywhere anywhere udp dpts:6880:6899
0 0 ACCEPT tcp -- ppp0 any anywhere anywhere tcp dpts:6880:6889
150 7552 REJECT tcp -- ppp0 any anywhere anywhere tcp dpts:0:1024 reject-with icmp-port-unreachable
1 78 REJECT udp -- ppp0 any anywhere anywhere udp dpts:0:1024 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 2944K packets, 2258M bytes)
pkts bytes target prot opt in out source destination
1627 306K REJECT udp -- any any anywhere anywhere udp dpt:ipp reject-with icmp-port-unreachable
0 0 REJECT udp -- any any anywhere anywhere udp dptrinter reject-with icmp-port-unreachable
1 44 REJECT tcp -- any any anywhere anywhere tcp dpt:ipp reject-with icmp-port-unreachable
1 44 REJECT tcp -- any any anywhere anywhere tcp dptrinter reject-with icmp-port-unreachable
0 0 REJECT udp -- any any anywhere anywhere udp spt:ipp reject-with icmp-port-unreachable
0 0 REJECT udp -- any any anywhere anywhere udp sptrinter reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere tcp spt:ipp reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere tcp sptrinter reject-with icmp-port-unreachable
1870 318K ACCEPT all -- !ppp0 ppp0 anywhere anywhere
2747K 3277M ACCEPT all -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT all -- ppp0 any anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 22M packets, 15G bytes)
pkts bytes target prot opt in out source destination

## nat iptables
thor linux # iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 108K packets, 13M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 10560 packets, 895K bytes)
pkts bytes target prot opt in out source destination
62457 4478K MASQUERADE all -- any ppp0 anywhere anywhere
0 0 MASQUERADE all -- any any 192.168.22.0/24 anywhere

Chain OUTPUT (policy ACCEPT 37396 packets, 2642K bytes)
pkts bytes target prot opt in out source destination

### That's it

In case all this is confusing, short description of the setup. bond0
enslaves eth0 and eth1, both connected to a Layer2 managed switch.
This switch has 4 VLANs configured. The default one, plus vlan2, vlan3
and vlan256. My DSL modem (acting as a PPPoE bridge) is connected to a
vlan256 trunked/access port (in laymans terms, vlan256 acts like a
separate NIC with the connector being a designated port (range) on the
switch). vlan2 and vlan3 are two separate workgroups. The iptables are
setup to block IPP (CUPS) traffic, so that each workgroup can see only
the own printers. ppp0 is created by the pppd on behalf of the PPPoE
connection to my ISP. And on tun0 sits a OpenVPN deamon, which's
incoming connections are masqueraded (VPN clients may be in IPv4
networks clashing with my networks IP range).

Now my problem (ATM I noticed it with HTTP connections only, but this
is nor exclusive): From hosts in my local net conntections to some hosts
in the internet I can do a SYN, I get an ACK, but there's no response
data arriving. The connections simply timeouts. And I don't have the
slightest clue, what might cause this, since _most_ (100% > x > 95%) of the
connections work flawlessly.

Sites not reachable are (I just tested a few well known ones):
https://www.dresdner-privat.de (online banking)
http://thepiratebay.org
http://torrentfreak.com

And from the Intel download server I get lousy transfer rates, about
50Bytes/s (Byte, not KBytes, not MBytes, not GBytes, just Bytes).
http://download.intel.com



Most other sites work flawlessly, but for completenes this is my control group:
http://google.com
http://heise.de (german IT news)
http://golem.de (another german IT news)
http://mininova.org (thought BitTorrent sites may be similair)
http://blog.fefe.de
http://userfriendly.org
http://xkcd.com
http://gentoo.org

Does anyone have a slight idea, what might cause this problem?

Wolfgang

Wolfgang Draxinger wrote:

> Does anyone have a slight idea, what might cause this problem?

Okay, I figured it out: The sites with problems were those, where
Path-MTU-Discovery reported to large values for routed packages (correct
value only for direct connection). Adding the following rule to iptables
solved it:

iptables -t filter -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clam-mss-to-pmtu

Wolfgang