MPD and fragmentation

Artyom Viklenko artem at aws-net.org.ua
Thu Jul 26 12:13:29 UTC 2007 

Mihai Tanasescu wrote:
> Artyom Viklenko wrote:
>> If you use PF, try to add rule
>>
>> scrub in all fragment rassemble no-df
>>
>> And VERY carefully check your ruleset. May be you block icmp in some 
>> place
>> and PMTU doesn't work.
>>
>> As as last resort you can add
>>  max-mss <some-size> to scrub rule. <some-size> may be some value in
>> range of 1300-1460.
>>
>> Sometimes it helps.
>>
> 
> Tried playing with the pf options.
> 
> I have removed from mpd the iface mtu option and now I only have set 
> iface mtu 1460.
> 
> Still when trying to access www.msn.com (and similar sites) I see with 
> tcpdump:

 From my systems www.msn.com resolves in 65.54.152.126.
When I connect from my book to my freebsd router with pptp - I see mtu 1396 bytes
on ng interface:

ng5: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1396
         inet 192.168.35.254 --> 192.168.35.1 netmask 0xffffffff

I connect to Internet via ADSL/PPPoE which runs to same freebsd router with mpd.
MTU is 1496. In pf I have

scrub in all fragment reassemble no-df max-mss 1452

so, mss is notaffected by max-mss when tcp connection establishes from notebook.

But www.msn.com sends packets with mss = 1356 bytes which corresponds with ng 
interface mtu of 1396.

router runs freebsd 5.5 with mpd 3.18 - yes, have plans to upgrade :)

in mpd.conf my pptp server configured with


pptp_std:
         set bundle enable compression
         set bundle disable multilink
         set bundle enable noretry
         set bundle max-logins 0
         set bundle enable radius-auth
         set bundle enable radius-acct
         set iface disable on-demand
         set iface disable proxy-arp
         set iface idle 1800
         set iface enable tcpmssfix
         set iface mtu 1460
         set iface enable radius-idle radius-session radius-route
         set link yes acfcomp protocomp
         set link yes pap
         set link enable chap-md5 chap-msv1 chap-msv2 chap
         set link mtu 1460
         set link mru 1460
         set link keep-alive 10 60
         set link max-redial -1
         set ipcp yes vjcomp
         set ipcp dns 192.168.32.253 192.168.32.254
         set ipcp nbns 192.168.32.253
         set ipcp ranges 192.168.35.254/32 192.168.35.1/28
         set ipcp enable radius-ip
         set ccp yes mppc
         set ccp yes mpp-e40
         set ccp yes mpp-e56
         set ccp yes mpp-e128
         set ccp yes mpp-stateless
         set pptp enable incoming
         set pptp disable originate
         set pptp disable windowing
         set pptp disable delayed-ack
         set radius retries 3
         set radius timeout 3
         set radius server 192.168.32.253 XXXXXXXXXXXXXXX 1812 1813
         set radius me 192.168.32.254
         set radius acct-update 300

All works fine. :)


> 
> After lowering the MSS from pf the communication started like this:
> 
> 11:25:02.980179 IP (tos 0x0, ttl 127, id 31152, offset 0, flags [DF], 
> proto: TCP (6), length: 48) 86.105.56.134.65390 > 207.68.183.32.80: S, 
> cksum 0x977a (correct), 942644994:942644994(0) win 65535 <mss 
> 1300,nop,nop,sackOK>
> (the outgoing mss got lowered to 1300)
> 
> 86.105.56.134 = my test IP address on which I'm NAT-ing packets from ng0 
> with pf
> 
> 11:25:03.190826 IP (tos 0x0, ttl  63, id 40014, offset 0, flags [none], 
> proto: TCP (6), length: 44) 207.68.183.32.80 > 86.105.56.134.65390: S, 
> cksum 0x5fb4 (correct), 3691466834:3691466834(0) ack 942644995 win 8190 
> <mss 1400>
> 11:25:03.191677 IP (tos 0x0, ttl 127, id 31155, offset 0, flags [DF], 
> proto: TCP (6), length: 40) 86.105.56.134.65390 > 207.68.183.32.80: ., 
> cksum 0x9733 (correct), 1:1(0) ack 1 win 65535
> 11:25:03.192210 IP (tos 0x0, ttl 127, id 31157, offset 0, flags [DF], 
> proto: TCP (6), length: 804) 86.105.56.134.65390 > 207.68.183.32.80: P 
> 1:765(764) ack 1 win 65535
> 11:25:03.422363 IP (tos 0x0, ttl  63, id 40290, offset 0, flags [DF], 
> proto: TCP (6), length: 1440) 207.68.183.32.80 > 86.105.56.134.65390: P 
> 1:1401(1400) ack 765 win 8190
> 11:25:03.422417 IP (tos 0x0, ttl  64, id 58490, offset 0, flags [DF], 
> proto: ICMP (1), length: 56) 86.105.56.134 > 207.68.183.32: ICMP 
> 86.105.56.134 unreachable - need to frag (mtu 1396), length 36
>        IP (tos 0x0, ttl  63, id 40290, offset 0, flags [DF], proto: TCP 
> (6), length: 1440) 207.68.183.32.80 > 86.105.56.134.65390: [|tcp]
> 
> The is the ng0 established MTU:
> 
> ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1396
>        inet 192.168.1.129 --> 192.168.1.130 netmask 0xffffffff
> 
> I have upgraded MPD to 4.2
> 
> pkg_info | grep mpd
> mpd-4.2.2           Multi-link PPP daemon based on netgraph(4)
> 
> I have disabled windowing:
> set pptp disable windowing
> 
> I have enabled the multilink for a test:
> set bundle enable multilink
> 
> The Ethernet interface (rl0 - 86.105.56.134) that is used both as the 
> endpoint for tunnel connections and for NAT for anything not destined to 
> the local net:
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> 
> Also I'm upgrading the system today from 6.1 to 6.2.
> 
> I tried transferring data inside my net without going through the pf NAT 
> but unfortunately I'm not seeing any problem here that could help me 
> replicate the icmp unreachable need frag mtu 1396 problem.
> 
> 
> Have you got any more ideas on what I should try ?


-- 
            Sincerely yours,
                             Artyom Viklenko.
-------------------------------------------------------
artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve   -  http://www.freebsd.org

More information about the freebsd-net mailing list