* [gentoo-user] PMTUD
@ 2013-08-27 8:10 Grant
2013-08-27 14:27 ` Mick
0 siblings, 1 reply; 18+ messages in thread
From: Grant @ 2013-08-27 8:10 UTC (permalink / raw
To: Gentoo mailing list
How is PMTUD enabled/disabled on Gentoo? I've recently been made
aware of the existence of MTU and I'm wondering if mine is set
properly for a cell phone tethered connection.
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-08-27 8:10 [gentoo-user] PMTUD Grant
@ 2013-08-27 14:27 ` Mick
2013-09-01 7:40 ` Grant
0 siblings, 1 reply; 18+ messages in thread
From: Mick @ 2013-08-27 14:27 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 486 bytes --]
On Tuesday 27 Aug 2013 09:10:39 Grant wrote:
> How is PMTUD enabled/disabled on Gentoo? I've recently been made
> aware of the existence of MTU and I'm wondering if mine is set
> properly for a cell phone tethered connection.
>
> - Grant
# sysctl -A | grep -i pmtu
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.route.min_pmtu = 552
Use echo to change a value as required and then modify your /etc/sysctl.d/
accordingly (first read /etc/sysctl.d/README)
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-08-27 14:27 ` Mick
@ 2013-09-01 7:40 ` Grant
2013-09-01 8:37 ` Mick
0 siblings, 1 reply; 18+ messages in thread
From: Grant @ 2013-09-01 7:40 UTC (permalink / raw
To: Gentoo mailing list
>> How is PMTUD enabled/disabled on Gentoo? I've recently been made
>> aware of the existence of MTU and I'm wondering if mine is set
>> properly for a cell phone tethered connection.
Thanks Mick. Can you generally rely on PMTUD to set the MTU optimally
or should this be experimented with when changing connections?
- Grant
> # sysctl -A | grep -i pmtu
> net.ipv4.ip_no_pmtu_disc = 0
> net.ipv4.route.min_pmtu = 552
>
> Use echo to change a value as required and then modify your /etc/sysctl.d/
> accordingly (first read /etc/sysctl.d/README)
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 7:40 ` Grant
@ 2013-09-01 8:37 ` Mick
2013-09-01 10:31 ` Grant
2013-09-01 11:17 ` Grant
0 siblings, 2 replies; 18+ messages in thread
From: Mick @ 2013-09-01 8:37 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 2152 bytes --]
On Sunday 01 Sep 2013 08:40:20 Grant wrote:
> >> How is PMTUD enabled/disabled on Gentoo? I've recently been made
> >> aware of the existence of MTU and I'm wondering if mine is set
> >> properly for a cell phone tethered connection.
>
> Thanks Mick. Can you generally rely on PMTUD to set the MTU optimally
> or should this be experimented with when changing connections?
Short answer: default Linux machine settings behave properly as network
devices and acknowledge packets larger than their MTU value with the
appropriate response.
Longer answer:
Communications between IPv4 end points use PMTUD by setting a Don't Fragment
(DF) bit in the headers of the outgoing packet. If a router/server along the
path has a smaller MTU, it will drop that packet and respond with an ICMP
'Destination Unreachable -- Fragmentation Needed' packet including its smaller
MTU value. Upon receiving this smaller packet value the initiating host will
dynamically reduce the size of the outgoing packets, until the packet arrives
at its intended destination. PMTUD should always be switched on in any well
behaving network implementation, but here's the rub: some network nodes,
firewalls, servers are configured to never respond with *any* ICMP packets
(because they think that this is a way to avoid DDoS problems and the like).
Therefore, the initiating host keeps sending large packets never knowing that
they are dropped on the way. This network problem is known as a PMTUD black
hole and is explained better here:
http://tools.ietf.org/html/rfc2923
Some MSWindows servers were notoriously bad at this, but I think that modern
configurations have corrected their buggy ways. Linux machines have PMTUD
switched on by default and behave properly.
If you are still troubled by the proxy connection stalling problem, have you
tried transferring large files over the network using scp/sftp to see if you
are also getting similar symptoms? This would isolate it to the application
level (squid) or if the problem remains would point to network configuration
issues.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 8:37 ` Mick
@ 2013-09-01 10:31 ` Grant
2013-09-01 12:00 ` Mick
2013-09-01 11:17 ` Grant
1 sibling, 1 reply; 18+ messages in thread
From: Grant @ 2013-09-01 10:31 UTC (permalink / raw
To: Gentoo mailing list
>> Thanks Mick. Can you generally rely on PMTUD to set the MTU optimally
>> or should this be experimented with when changing connections?
>
> Short answer: default Linux machine settings behave properly as network
> devices and acknowledge packets larger than their MTU value with the
> appropriate response.
>
> Longer answer:
>
> Communications between IPv4 end points use PMTUD by setting a Don't Fragment
> (DF) bit in the headers of the outgoing packet. If a router/server along the
> path has a smaller MTU, it will drop that packet and respond with an ICMP
> 'Destination Unreachable -- Fragmentation Needed' packet including its smaller
> MTU value. Upon receiving this smaller packet value the initiating host will
> dynamically reduce the size of the outgoing packets, until the packet arrives
> at its intended destination. PMTUD should always be switched on in any well
> behaving network implementation, but here's the rub: some network nodes,
> firewalls, servers are configured to never respond with *any* ICMP packets
> (because they think that this is a way to avoid DDoS problems and the like).
> Therefore, the initiating host keeps sending large packets never knowing that
> they are dropped on the way. This network problem is known as a PMTUD black
> hole and is explained better here:
>
> http://tools.ietf.org/html/rfc2923
>
> Some MSWindows servers were notoriously bad at this, but I think that modern
> configurations have corrected their buggy ways. Linux machines have PMTUD
> switched on by default and behave properly.
Got it, thank you.
> If you are still troubled by the proxy connection stalling problem, have you
> tried transferring large files over the network using scp/sftp to see if you
> are also getting similar symptoms? This would isolate it to the application
> level (squid) or if the problem remains would point to network configuration
> issues.
How can I make this determination? I'm testing a 50MB scp over hotel
wifi from my laptop to the remote proxy server now (with squid running
in case it matters) and it seems OK. It oscillates constantly between
0.0KB/s and 80.0KB/s. As soon as I start browsing via the proxy
server, the upload frequently goes to "stalled" but I suppose that
could be a bandwidth issue. Browsing still stalls before very long.
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 8:37 ` Mick
2013-09-01 10:31 ` Grant
@ 2013-09-01 11:17 ` Grant
2013-09-01 12:57 ` Mick
1 sibling, 1 reply; 18+ messages in thread
From: Grant @ 2013-09-01 11:17 UTC (permalink / raw
To: Gentoo mailing list
> Communications between IPv4 end points use PMTUD by setting a Don't Fragment
> (DF) bit in the headers of the outgoing packet. If a router/server along the
> path has a smaller MTU, it will drop that packet and respond with an ICMP
> 'Destination Unreachable -- Fragmentation Needed' packet including its smaller
> MTU value. Upon receiving this smaller packet value the initiating host will
> dynamically reduce the size of the outgoing packets, until the packet arrives
> at its intended destination. PMTUD should always be switched on in any well
> behaving network implementation, but here's the rub: some network nodes,
> firewalls, servers are configured to never respond with *any* ICMP packets
> (because they think that this is a way to avoid DDoS problems and the like).
> Therefore, the initiating host keeps sending large packets never knowing that
> they are dropped on the way. This network problem is known as a PMTUD black
> hole and is explained better here:
Could ICMP packets not getting through be to blame for my proxy server
problem? My laptop can't seem to ping anyone (blocked at the firewall
in this hotel I suppose) and certainly the proxy server can't ping my
laptop.
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 10:31 ` Grant
@ 2013-09-01 12:00 ` Mick
2013-09-01 12:09 ` Grant
0 siblings, 1 reply; 18+ messages in thread
From: Mick @ 2013-09-01 12:00 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1251 bytes --]
On Sunday 01 Sep 2013 11:31:10 Grant wrote:
> > If you are still troubled by the proxy connection stalling problem, have
> > you tried transferring large files over the network using scp/sftp to
> > see if you are also getting similar symptoms? This would isolate it to
> > the application level (squid) or if the problem remains would point to
> > network configuration issues.
>
> How can I make this determination? I'm testing a 50MB scp over hotel
> wifi from my laptop to the remote proxy server now (with squid running
> in case it matters) and it seems OK. It oscillates constantly between
> 0.0KB/s and 80.0KB/s. As soon as I start browsing via the proxy
> server, the upload frequently goes to "stalled" but I suppose that
> could be a bandwidth issue. Browsing still stalls before very long.
The oscillation is related to buffering and is normal. If you are getting
longer stalling periods where no packets are being transmitted then there
could be a network problem. iptraf-ng, ntop and other tools can show if
packets have stopped moving in either direction.
From what you're describing the problem seems related to the squid
application, since scp is not seeing similar timeouts.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 12:00 ` Mick
@ 2013-09-01 12:09 ` Grant
0 siblings, 0 replies; 18+ messages in thread
From: Grant @ 2013-09-01 12:09 UTC (permalink / raw
To: Gentoo mailing list
>> > If you are still troubled by the proxy connection stalling problem, have
>> > you tried transferring large files over the network using scp/sftp to
>> > see if you are also getting similar symptoms? This would isolate it to
>> > the application level (squid) or if the problem remains would point to
>> > network configuration issues.
>>
>> How can I make this determination? I'm testing a 50MB scp over hotel
>> wifi from my laptop to the remote proxy server now (with squid running
>> in case it matters) and it seems OK. It oscillates constantly between
>> 0.0KB/s and 80.0KB/s. As soon as I start browsing via the proxy
>> server, the upload frequently goes to "stalled" but I suppose that
>> could be a bandwidth issue. Browsing still stalls before very long.
>
> The oscillation is related to buffering and is normal. If you are getting
> longer stalling periods where no packets are being transmitted then there
> could be a network problem. iptraf-ng, ntop and other tools can show if
> packets have stopped moving in either direction.
>
> From what you're describing the problem seems related to the squid
> application, since scp is not seeing similar timeouts.
Strangely, the ziproxy application behaves in exactly the same way.
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 11:17 ` Grant
@ 2013-09-01 12:57 ` Mick
2013-09-01 13:59 ` Grant
0 siblings, 1 reply; 18+ messages in thread
From: Mick @ 2013-09-01 12:57 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 2721 bytes --]
On Sunday 01 Sep 2013 12:17:28 Grant wrote:
> > Communications between IPv4 end points use PMTUD by setting a Don't
> > Fragment (DF) bit in the headers of the outgoing packet. If a
> > router/server along the path has a smaller MTU, it will drop that packet
> > and respond with an ICMP 'Destination Unreachable -- Fragmentation
> > Needed' packet including its smaller MTU value. Upon receiving this
> > smaller packet value the initiating host will dynamically reduce the
> > size of the outgoing packets, until the packet arrives at its intended
> > destination. PMTUD should always be switched on in any well behaving
> > network implementation, but here's the rub: some network nodes,
> > firewalls, servers are configured to never respond with *any* ICMP
> > packets (because they think that this is a way to avoid DDoS problems
> > and the like). Therefore, the initiating host keeps sending large
> > packets never knowing that they are dropped on the way. This network
> > problem is known as a PMTUD blackhole and is explained better here:
>
> Could ICMP packets not getting through be to blame for my proxy server
> problem? My laptop can't seem to ping anyone (blocked at the firewall
> in this hotel I suppose) and certainly the proxy server can't ping my
> laptop.
Not all ICMP packets are relevant to detecting the MTU of a node. A correctly
implemented node will return an ICMP Fragmentation Needed (Type 3, Code 4)
packet, with its MTU value. This kind of ICMP packets should not be blocked
at firewalls. Use ping with the do not fragment option to see if packets
above a certain size time out, i.e. they are dropped by some offending node on
the way.
ping -c 6 -n -M do -s 1472 <server_address>
This will send 6 packets to your server's address having set the do not
fragment bit. The packet payload size is set at 1472 to allow for 28 bytes
that are taken up by the IP and ICMP header data. So the total packet size
would be 1472+28=1500, the usual ethernet packet size.
If the MTU of the server is less than 1500 bytes, you will get a response
containing "Frag needed and DF set", otherwise you will get pong responses,
like e.g.
1480 bytes from XXX.XX.XXX.XXX: icmp_seq=1 ttl=121 time=66.5 ms
If there is a black hole in the circuit you will be getting timeouts. Start
reducing the size of the packet if you are getting time outs, say by 10 bytes
at a time. When you arrive at or below the corresponding size of the MTU of a
blackhole you will start getting responses.
Of course, if the hotel's firewall is blocking all outgoing/incoming pings
this sort of diagnostic test will not be useful.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 12:57 ` Mick
@ 2013-09-01 13:59 ` Grant
2013-09-01 15:43 ` Mick
0 siblings, 1 reply; 18+ messages in thread
From: Grant @ 2013-09-01 13:59 UTC (permalink / raw
To: Gentoo mailing list
>> Could ICMP packets not getting through be to blame for my proxy server
>> problem? My laptop can't seem to ping anyone (blocked at the firewall
>> in this hotel I suppose) and certainly the proxy server can't ping my
>> laptop.
>
> Not all ICMP packets are relevant to detecting the MTU of a node. A correctly
> implemented node will return an ICMP Fragmentation Needed (Type 3, Code 4)
> packet, with its MTU value. This kind of ICMP packets should not be blocked
> at firewalls. Use ping with the do not fragment option to see if packets
> above a certain size time out, i.e. they are dropped by some offending node on
> the way.
>
> ping -c 6 -n -M do -s 1472 <server_address>
I get "Frag needed and DF set (mtu = 1492)" when pinging google.com.
I get normal replies with -s 1464. ifconfig shows my WAN interface at
MTU 1500 so PMTUD must change the MTU for communication with
google.com if I understand correctly.
> Of course, if the hotel's firewall is blocking all outgoing/incoming pings
> this sort of diagnostic test will not be useful.
I actually only lose pings to my own remote system so I've started a
new thread about that. I tried down to -s 1 but still 100% packet
loss there.
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 13:59 ` Grant
@ 2013-09-01 15:43 ` Mick
2013-09-01 16:17 ` Grant
0 siblings, 1 reply; 18+ messages in thread
From: Mick @ 2013-09-01 15:43 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1984 bytes --]
On Sunday 01 Sep 2013 14:59:19 Grant wrote:
> >> Could ICMP packets not getting through be to blame for my proxy server
> >> problem? My laptop can't seem to ping anyone (blocked at the firewall
> >> in this hotel I suppose) and certainly the proxy server can't ping my
> >> laptop.
> >
> > Not all ICMP packets are relevant to detecting the MTU of a node. A
> > correctly implemented node will return an ICMP Fragmentation Needed
> > (Type 3, Code 4) packet, with its MTU value. This kind of ICMP packets
> > should not be blocked at firewalls. Use ping with the do not fragment
> > option to see if packets above a certain size time out, i.e. they are
> > dropped by some offending node on the way.
> >
> > ping -c 6 -n -M do -s 1472 <server_address>
>
> I get "Frag needed and DF set (mtu = 1492)" when pinging google.com.
> I get normal replies with -s 1464. ifconfig shows my WAN interface at
> MTU 1500 so PMTUD must change the MTU for communication with
> google.com if I understand correctly.
The hotel's router/modem may be using PPPoE to authenticate with their ISP,
which has a larger header size and requires an MTU of 1492 (1464+28=1492)
So, although your NIC is configured to the full ethernet MTU size, the router
drops the size down to 1492 to be able to squeeze it out through the ISP's
network. That's all good and proper and will not cause the timeout problem
you have been experiencing.
> > Of course, if the hotel's firewall is blocking all outgoing/incoming
> > pings this sort of diagnostic test will not be useful.
>
> I actually only lose pings to my own remote system so I've started a
> new thread about that. I tried down to -s 1 but still 100% packet
> loss there.
Have you checked that the firewall at your server is not set to drop all ICMP
packets and that you don't have something like this set up on it:
net.ipv4.icmp_echo_ignore_all = 0
(use sysctl to check)
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 15:43 ` Mick
@ 2013-09-01 16:17 ` Grant
2013-09-01 16:53 ` Mick
0 siblings, 1 reply; 18+ messages in thread
From: Grant @ 2013-09-01 16:17 UTC (permalink / raw
To: Gentoo mailing list
> The hotel's router/modem may be using PPPoE to authenticate with their ISP,
> which has a larger header size and requires an MTU of 1492 (1464+28=1492)
>
> So, although your NIC is configured to the full ethernet MTU size, the router
> drops the size down to 1492 to be able to squeeze it out through the ISP's
> network. That's all good and proper and will not cause the timeout problem
> you have been experiencing.
OK, does PMTUD lower the outgoing packet size on my system due to the
hotel router's lower MTU or does the hotel router itself fragment my
1500 byte packets in order to send them out? Just curious.
> Have you checked that the firewall at your server is not set to drop all ICMP
> packets and that you don't have something like this set up on it:
>
> net.ipv4.icmp_echo_ignore_all = 0
>
> (use sysctl to check)
I get this which looks OK:
# sysctl -a|grep icmp_echo_ignore_all
net.ipv4.icmp_echo_ignore_all = 0
Nikos mentioned in the other thread that I may need to configure ICMP
on my server's modem/router which I will be able to try tomorrow.
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 16:17 ` Grant
@ 2013-09-01 16:53 ` Mick
2013-09-01 17:54 ` Grant
0 siblings, 1 reply; 18+ messages in thread
From: Mick @ 2013-09-01 16:53 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 527 bytes --]
On Sunday 01 Sep 2013 17:17:37 Grant wrote:
> OK, does PMTUD lower the outgoing packet size on my system due to the
> hotel router's lower MTU or does the hotel router itself fragment my
> 1500 byte packets in order to send them out? Just curious.
If you are sending out packets with the DF bit set no fragmentation will take
place - the packet is dropped and an appropriate message is returned to
sender. Otherwise the router will fragment them and send them on to the
recipient address.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 16:53 ` Mick
@ 2013-09-01 17:54 ` Grant
2013-09-01 18:51 ` Mick
0 siblings, 1 reply; 18+ messages in thread
From: Grant @ 2013-09-01 17:54 UTC (permalink / raw
To: Gentoo mailing list
>> OK, does PMTUD lower the outgoing packet size on my system due to the
>> hotel router's lower MTU or does the hotel router itself fragment my
>> 1500 byte packets in order to send them out? Just curious.
>
> If you are sending out packets with the DF bit set no fragmentation will take
> place - the packet is dropped and an appropriate message is returned to
> sender. Otherwise the router will fragment them and send them on to the
> recipient address.
Shouldn't PMTUD change my MTU based on the hotel router's lower MTU?
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 17:54 ` Grant
@ 2013-09-01 18:51 ` Mick
2013-09-02 18:34 ` Grant
0 siblings, 1 reply; 18+ messages in thread
From: Mick @ 2013-09-01 18:51 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1758 bytes --]
On Sunday 01 Sep 2013 18:54:45 Grant wrote:
> >> OK, does PMTUD lower the outgoing packet size on my system due to the
> >> hotel router's lower MTU or does the hotel router itself fragment my
> >> 1500 byte packets in order to send them out? Just curious.
> >
> > If you are sending out packets with the DF bit set no fragmentation will
> > take place - the packet is dropped and an appropriate message is
> > returned to sender. Otherwise the router will fragment them and send
> > them on to the recipient address.
>
> Shouldn't PMTUD change my MTU based on the hotel router's lower MTU?
Yes, it should. At the start of the connection the sender sends DF in the
header to find out what is the MRU that the network nodes will support. Then
sends packets of the appropriate size so that they get through with no
fragmentation. This is the optimal scenario.
Now, imagine another scenario where some router/firewall/server does not send
back the correct ICMP packet with its required MRU, or even worse it sends
back a 1500 (full ethernet) size with DF set, or also drops fragments ... This
reminds me of MSN IM which was a particularly bad implementation back when.
The sender may eventually try a smaller packet, after initially increasing the
time it waits for a response, and you could well get something through 30
seconds later, or even give up and time out.
If you are using Shorewall at your remote server I would expect it to behave
properly and return the correct ICMP packet when it receives a DF. However, I
am not familiar with the Shorewall properties and settings, so if you suspect
this as the cause of your problem it would be better if you look into it
properly.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-01 18:51 ` Mick
@ 2013-09-02 18:34 ` Grant
2013-09-02 22:29 ` Mick
0 siblings, 1 reply; 18+ messages in thread
From: Grant @ 2013-09-02 18:34 UTC (permalink / raw
To: Gentoo mailing list
>> >> OK, does PMTUD lower the outgoing packet size on my system due to the
>> >> hotel router's lower MTU or does the hotel router itself fragment my
>> >> 1500 byte packets in order to send them out? Just curious.
>> >
>> > If you are sending out packets with the DF bit set no fragmentation will
>> > take place - the packet is dropped and an appropriate message is
>> > returned to sender. Otherwise the router will fragment them and send
>> > them on to the recipient address.
>>
>> Shouldn't PMTUD change my MTU based on the hotel router's lower MTU?
>
> Yes, it should. At the start of the connection the sender sends DF in the
> header to find out what is the MRU that the network nodes will support. Then
> sends packets of the appropriate size so that they get through with no
> fragmentation. This is the optimal scenario.
>
> Now, imagine another scenario where some router/firewall/server does not send
> back the correct ICMP packet with its required MRU, or even worse it sends
> back a 1500 (full ethernet) size with DF set, or also drops fragments ... This
> reminds me of MSN IM which was a particularly bad implementation back when.
>
> The sender may eventually try a smaller packet, after initially increasing the
> time it waits for a response, and you could well get something through 30
> seconds later, or even give up and time out.
Here's my layout:
laptop+shorewall (MTU:1500) -> hotel router (MTU:?) -> internet ->
Westell modem/router (MTU:1492) -> desktop+shorewall (MTU:1500)
Shouldn't PMTUD change the desktop's MTU to 1492? Is the fact that it
doesn't due to a flaw in the Westell's operation? Should I manually
change the desktop's MTU to 1492 along with that of other systems on
its LAN?
> If you are using Shorewall at your remote server I would expect it to behave
> properly and return the correct ICMP packet when it receives a DF. However, I
> am not familiar with the Shorewall properties and settings, so if you suspect
> this as the cause of your problem it would be better if you look into it
> properly.
So I'm sure I understand, this doesn't apply if ICMP is dropped at the Westell?
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-02 18:34 ` Grant
@ 2013-09-02 22:29 ` Mick
2013-09-05 12:52 ` Grant
0 siblings, 1 reply; 18+ messages in thread
From: Mick @ 2013-09-02 22:29 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1796 bytes --]
On Monday 02 Sep 2013 19:34:25 Grant wrote:
> Here's my layout:
>
> laptop+shorewall (MTU:1500) -> hotel router (MTU:?) -> internet ->
> Westell modem/router (MTU:1492) -> desktop+shorewall (MTU:1500)
>
> Shouldn't PMTUD change the desktop's MTU to 1492?
Your desktop's PMTUD will get an ICMP response from Westell as it tries to
traverse through it and it will adjust the outgoing packet size accordingly.
Ditto with your laptop, when it tries to establish a connection with your
desktop.
> Is the fact that it
> doesn't due to a flaw in the Westell's operation? Should I manually
> change the desktop's MTU to 1492 along with that of other systems on
> its LAN?
It won't harm if you do. However, we don't know for a *fact* that the Westell
is not returning the appropriate ICMP packets (Type 3, Code 4) to your laptop,
or your desktop.
You can use tcpdump to see what's being sent back and forth.
> > If you are using Shorewall at your remote server I would expect it to
> > behave properly and return the correct ICMP packet when it receives a
> > DF. However, I am not familiar with the Shorewall properties and
> > settings, so if you suspect this as the cause of your problem it would
> > be better if you look into it properly.
>
> So I'm sure I understand, this doesn't apply if ICMP is dropped at the
> Westell?
ICMP echo request may be dropped by Westell's firewall, but ICMP Type 3, Code
4 could well be returned when a TCP connection is being initiated by your
laptop. I don't know how ham-fisted Westell's firewall settings are.
Meanwhile, stating the obvious, have you tried using the desktop squid proxy
while you are inside your LAN with the same laptop to see if the problem
remains?
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [gentoo-user] PMTUD
2013-09-02 22:29 ` Mick
@ 2013-09-05 12:52 ` Grant
0 siblings, 0 replies; 18+ messages in thread
From: Grant @ 2013-09-05 12:52 UTC (permalink / raw
To: Gentoo mailing list
>> Here's my layout:
>>
>> laptop+shorewall (MTU:1500) -> hotel router (MTU:?) -> internet ->
>> Westell modem/router (MTU:1492) -> desktop+shorewall (MTU:1500)
>>
>> Shouldn't PMTUD change the desktop's MTU to 1492?
>
> Your desktop's PMTUD will get an ICMP response from Westell as it tries to
> traverse through it and it will adjust the outgoing packet size accordingly.
>
> Ditto with your laptop, when it tries to establish a connection with your
> desktop.
>
>
>> Is the fact that it
>> doesn't due to a flaw in the Westell's operation? Should I manually
>> change the desktop's MTU to 1492 along with that of other systems on
>> its LAN?
>
> It won't harm if you do. However, we don't know for a *fact* that the Westell
> is not returning the appropriate ICMP packets (Type 3, Code 4) to your laptop,
> or your desktop.
>
> You can use tcpdump to see what's being sent back and forth.
Ah, so PMTUD doesn't actually change the setting reported by ifconfig.
It's done on-the-fly.
>> > If you are using Shorewall at your remote server I would expect it to
>> > behave properly and return the correct ICMP packet when it receives a
>> > DF. However, I am not familiar with the Shorewall properties and
>> > settings, so if you suspect this as the cause of your problem it would
>> > be better if you look into it properly.
>>
>> So I'm sure I understand, this doesn't apply if ICMP is dropped at the
>> Westell?
>
> ICMP echo request may be dropped by Westell's firewall, but ICMP Type 3, Code
> 4 could well be returned when a TCP connection is being initiated by your
> laptop. I don't know how ham-fisted Westell's firewall settings are.
>
> Meanwhile, stating the obvious, have you tried using the desktop squid proxy
> while you are inside your LAN with the same laptop to see if the problem
> remains?
That's a fine idea and I will do so once I get back there. Thanks for
the education Mick. :)
- Grant
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2013-09-05 12:52 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-27 8:10 [gentoo-user] PMTUD Grant
2013-08-27 14:27 ` Mick
2013-09-01 7:40 ` Grant
2013-09-01 8:37 ` Mick
2013-09-01 10:31 ` Grant
2013-09-01 12:00 ` Mick
2013-09-01 12:09 ` Grant
2013-09-01 11:17 ` Grant
2013-09-01 12:57 ` Mick
2013-09-01 13:59 ` Grant
2013-09-01 15:43 ` Mick
2013-09-01 16:17 ` Grant
2013-09-01 16:53 ` Mick
2013-09-01 17:54 ` Grant
2013-09-01 18:51 ` Mick
2013-09-02 18:34 ` Grant
2013-09-02 22:29 ` Mick
2013-09-05 12:52 ` Grant
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox