PDA

Bekijk de volledige versie : Packet lost problem



hugo
12-03-2005, 17:46
Hi,

I have a problem with a remote control program. This program connect to my router using port 443, and the router NAT it to my lan on port 82 to the client computer.

As I explained in a previous thread, for reference (http://wl500g.info/showthread.php?t=1857), this connection is working for my airport router, but not with my Wl-HDD with Oleg's latest firmware.

I've been nailing down the problem using network capture. On the first sample, the connection is correctly established. I've removed previous frames as they have the same size on both case and they are just setting up the connection.

Here is the good one::

No. Time Source Destination Protocol Info
41 8.828783 192.168.1.10 xxx.xx.x.x TCP 82 > 64267 [PSH, ACK] Seq=582 Ack=909 Win=31860 Len=14

Frame 41 (68 bytes on wire, 68 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:24:00:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 64267 (64267), Seq: 582, Ack: 909, Len: 14
Source port: 82 (82)
Destination port: 64267 (64267)
Sequence number: 582 (relative sequence number)
Next sequence number: 596 (relative sequence number)
Acknowledgement number: 909 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 31860
Checksum: 0x808b (correct)
Data (14 bytes)

0000 0e 00 04 03 00 00 00 00 12 00 52 02 e0 01 ..........R...

No. Time Source Destination Protocol Info
42 8.881276 xxx.xx.x.x 192.168.1.10 TCP 64267 > 82 [ACK] Seq=909 Ack=596 Win=63805 Len=0

Frame 42 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:11:24:00:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 64267 (64267), Dst Port: 82 (82), Seq: 909, Ack: 596, Len: 0
Source port: 64267 (64267)
Destination port: 82 (82)
Sequence number: 909 (relative sequence number)
Acknowledgement number: 596 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 63805
Checksum: 0x59d1 (correct)
SEQ/ACK analysis
This is an ACK to the segment in frame: 41
The RTT to ACK the segment was: 0.052493000 seconds

No. Time Source Destination Protocol Info
44 9.262571 xxx.xx.x.x 192.168.1.10 TCP 64267 > 82 [ACK] Seq=909 Ack=596 Win=63805 Len=1400

Frame 44 (1454 bytes on wire, 1454 bytes captured)
Ethernet II, Src: 00:11:24:00:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 64267 (64267), Dst Port: 82 (82), Seq: 909, Ack: 596, Len: 1400
Source port: 64267 (64267)
Destination port: 82 (82)
Sequence number: 909 (relative sequence number)
Next sequence number: 2309 (relative sequence number)
Acknowledgement number: 596 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 63805
Checksum: 0xd274 (correct)
Data (1400 bytes)


No. Time Source Destination Protocol Info
45 9.264103 xxx.xx.x.x 192.168.1.10 TCP 64267 > 82 [ACK] Seq=2309 Ack=596 Win=63805 Len=1400

Frame 45 (1454 bytes on wire, 1454 bytes captured)
Ethernet II, Src: 00:11:24:00:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 64267 (64267), Dst Port: 82 (82), Seq: 2309, Ack: 596, Len: 1400
Source port: 64267 (64267)
Destination port: 82 (82)
Sequence number: 2309 (relative sequence number)
Next sequence number: 3709 (relative sequence number)
Acknowledgement number: 596 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 63805
Checksum: 0xcf8f (correct)
Data (1400 bytes)


No. Time Source Destination Protocol Info
46 9.265309 xxx.xx.x.x 192.168.1.10 TCP 64267 > 82 [PSH, ACK] Seq=3709 Ack=596 Win=63805 Len=1058

Frame 46 (1112 bytes on wire, 1112 bytes captured)
Ethernet II, Src: 00:11:24:00:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 64267 (64267), Dst Port: 82 (82), Seq: 3709, Ack: 596, Len: 1058
Source port: 64267 (64267)
Destination port: 82 (82)
Sequence number: 3709 (relative sequence number)
Next sequence number: 4767 (relative sequence number)
Acknowledgement number: 596 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 63805
Checksum: 0xf6dc (correct)
Data (1058 bytes)


No. Time Source Destination Protocol Info
47 9.265908 192.168.1.10 xxx.xx.x.x TCP 82 > 64267 [ACK] Seq=596 Ack=3709 Win=32768 Len=0

Frame 47 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:24:00:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 64267 (64267), Seq: 596, Ack: 3709, Len: 0
Source port: 82 (82)
Destination port: 64267 (64267)
Sequence number: 596 (relative sequence number)
Acknowledgement number: 3709 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 32768
Checksum: 0xc81e (correct)
SEQ/ACK analysis
This is an ACK to the segment in frame: 45
The RTT to ACK the segment was: 0.001805000 seconds

No. Time Source Destination Protocol Info
48 9.427169 192.168.1.10 xxx.xx.x.x TCP 82 > 64267 [ACK] Seq=596 Ack=4767 Win=31710 Len=0

Frame 48 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:24:00:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 64267 (64267), Seq: 596, Ack: 4767, Len: 0
Source port: 82 (82)
Destination port: 64267 (64267)
Sequence number: 596 (relative sequence number)
Acknowledgement number: 4767 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 31710
Checksum: 0xc81e (correct)
SEQ/ACK analysis
This is an ACK to the segment in frame: 46
The RTT to ACK the segment was: 0.161860000 seconds

Data is send using big packet (1400 bytes)

Everything is fine.

On the bad try on wl-hdd, I have this result: a packet is lost:

hugo
12-03-2005, 17:51
No. Time Source Destination Protocol Info
74 26.952047 xxx.xx.x.x 192.168.1.10 TCP 49962 > 82 [ACK] Seq=909 Ack=582 Win=63659 Len=0

Frame 74 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:11:2f:73:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 49962 (49962), Dst Port: 82 (82), Seq: 909, Ack: 582, Len: 0
Source port: 49962 (49962)
Destination port: 82 (82)
Sequence number: 909 (relative sequence number)
Acknowledgement number: 582 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 63659
Checksum: 0xd4f1 (correct)
SEQ/ACK analysis
This is an ACK to the segment in frame: 72
The RTT to ACK the segment was: 0.075595000 seconds

No. Time Source Destination Protocol Info
75 27.131302 xxx.xx.x.x 192.168.1.10 TCP 49962 > 82 [PSH, ACK] Seq=909 Ack=596 Win=63645 Len=1338

Frame 75 (1392 bytes on wire, 1392 bytes captured)
Ethernet II, Src: 00:11:2f:73:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 49962 (49962), Dst Port: 82 (82), Seq: 909, Ack: 596, Len: 1338
Source port: 49962 (49962)
Destination port: 82 (82)
Sequence number: 909 (relative sequence number)
Next sequence number: 2247 (relative sequence number)
Acknowledgement number: 596 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 63645
Checksum: 0xcbc8 (correct)
SEQ/ACK analysis
This is an ACK to the segment in frame: 73
The RTT to ACK the segment was: 0.220716000 seconds
Data (1338 bytes)
No. Time Source Destination Protocol Info
76 27.336533 192.168.1.10 xxx.xx.x.x TCP 82 > 49962 [ACK] Seq=596 Ack=2247 Win=32768 Len=0

Frame 76 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:2f:73:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 49962 (49962), Seq: 596, Ack: 2247, Len: 0
Source port: 82 (82)
Destination port: 49962 (49962)
Sequence number: 596 (relative sequence number)
Acknowledgement number: 2247 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 32768
Checksum: 0x4855 (correct)
SEQ/ACK analysis
This is an ACK to the segment in frame: 75
The RTT to ACK the segment was: 0.205231000 seconds

No. Time Source Destination Protocol Info
77 30.721010 192.168.1.10 xxx.xx.x.x TCP 82 > 49962 [PSH, ACK] Seq=596 Ack=2247 Win=32768 Len=12

Frame 77 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:2f:73:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 49962 (49962), Seq: 596, Ack: 2247, Len: 12
Source port: 82 (82)
Destination port: 49962 (49962)
Sequence number: 596 (relative sequence number)
Next sequence number: 608 (relative sequence number)
Acknowledgement number: 2247 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 32768
Checksum: 0x233f (correct)
Data (12 bytes)

0000 0b 00 01 00 00 00 13 01 e5 00 21 00 ..........!.

No. Time Source Destination Protocol Info
78 30.723469 192.168.1.10 xxx.xx.x.x TCP 82 > 49962 [PSH, ACK] Seq=608 Ack=2247 Win=32768 Len=12

Frame 78 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:2f:73:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 49962 (49962), Seq: 608, Ack: 2247, Len: 12
Source port: 82 (82)
Destination port: 49962 (49962)
Sequence number: 608 (relative sequence number)
Next sequence number: 620 (relative sequence number)
Acknowledgement number: 2247 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 32768
Checksum: 0x1933 (correct)
Data (12 bytes)

0000 0b 00 01 00 00 00 13 01 e0 00 30 00 ..........0.

No. Time Source Destination Protocol Info
79 30.789783 xxx.xx.x.x 192.168.1.10 TCP 49962 > 82 [ACK] Seq=2247 Ack=620 Win=63621 Len=0

Frame 79 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:11:2f:73:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 49962 (49962), Dst Port: 82 (82), Seq: 2247, Ack: 620, Len: 0
Source port: 49962 (49962)
Destination port: 82 (82)
Sequence number: 2247 (relative sequence number)
Acknowledgement number: 620 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 63621
Checksum: 0xcfb7 (correct)
SEQ/ACK analysis
This is an ACK to the segment in frame: 78
The RTT to ACK the segment was: 0.066314000 seconds

No. Time Source Destination Protocol Info
80 31.030234 xxx.xx.x.x 192.168.1.10 TCP 49962 > 82 [PSH, ACK] Seq=2247 Ack=620 Win=63621 Len=1072

Frame 80 (1126 bytes on wire, 1126 bytes captured)
Ethernet II, Src: 00:11:2f:73:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 49962 (49962), Dst Port: 82 (82), Seq: 2247, Ack: 620, Len: 1072
Source port: 49962 (49962)
Destination port: 82 (82)
Sequence number: 2247 (relative sequence number)
Next sequence number: 3319 (relative sequence number)
Acknowledgement number: 620 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 63621
Checksum: 0xbda1 (correct)
Data (1072 bytes)


No. Time Source Destination Protocol Info
81 31.186223 192.168.1.10 xxx.xx.x.x TCP 82 > 49962 [ACK] Seq=620 Ack=3319 Win=31696 Len=0

Frame 81 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:2f:73:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 49962 (49962), Seq: 620, Ack: 3319, Len: 0
Source port: 82 (82)
Destination port: 49962 (49962)
Sequence number: 620 (relative sequence number)
Acknowledgement number: 3319 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 31696
Checksum: 0x483d (correct)
SEQ/ACK analysis
This is an ACK to the segment in frame: 80
The RTT to ACK the segment was: 0.155989000 seconds


Here is the lost packet, following this:

hugo
12-03-2005, 17:51
No. Time Source Destination Protocol Info
82 31.330373 xxx.xx.x.x 192.168.1.10 TCP [TCP Previous segment lost] 49962 > 82 [PSH, ACK] Seq=6239 Ack=620 Win=63621 Len=24

Frame 82 (78 bytes on wire, 78 bytes captured)
Ethernet II, Src: 00:11:2f:73:xx:xx, Dst: 00:12:79:46:xx:xx
Internet Protocol, Src Addr: xxx.xx.x.x (xxx.xx.x.x), Dst Addr: 192.168.1.10 (192.168.1.10)
Transmission Control Protocol, Src Port: 49962 (49962), Dst Port: 82 (82), Seq: 6239, Ack: 620, Len: 24
Source port: 49962 (49962)
Destination port: 82 (82)
Sequence number: 6239 (relative sequence number)
Next sequence number: 6263 (relative sequence number)
Acknowledgement number: 620 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 63621
Checksum: 0x5b25 (correct)
SEQ/ACK analysis
TCP Analysis Flags
A segment before this frame was lost
Data (24 bytes)

0000 05 d6 55 81 39 15 98 ae 94 63 f9 0a cc ae c0 32 ..U.9....c.....2
0010 2a 61 ff 01 bc 62 37 a9 *a...b7.

No. Time Source Destination Protocol Info
83 31.333492 192.168.1.10 xxx.xx.x.x TCP [TCP Dup ACK 81#1] 82 > 49962 [ACK] Seq=620 Ack=3319 Win=31696 Len=0 SLE=1365833118 SRE=1365833142

Frame 83 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:2f:73:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 49962 (49962), Seq: 620, Ack: 3319, Len: 0
Source port: 82 (82)
Destination port: 49962 (49962)
Sequence number: 620 (relative sequence number)
Acknowledgement number: 3319 (relative ack number)
Header length: 32 bytes
Flags: 0x0010 (ACK)
Window size: 31696
Checksum: 0x83ff (correct)
Options: (12 bytes)
SEQ/ACK analysis
The RTT to ACK the segment was: 1110644376.945946000 seconds
TCP Analysis Flags
This is a TCP duplicate ack
Duplicate ACK #: 1
Duplicate to the ACK in frame: 81

No. Time Source Destination Protocol Info
84 34.130379 192.168.1.10 xxx.xx.x.x TCP 82 > 49962 [PSH, ACK] Seq=620 Ack=3319 Win=31696 Len=12

Frame 84 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: 00:12:79:46:xx:xx, Dst: 00:11:2f:73:xx:xx
Internet Protocol, Src Addr: 192.168.1.10 (192.168.1.10), Dst Addr: xxx.xx.x.x (xxx.xx.x.x)
Transmission Control Protocol, Src Port: 82 (82), Dst Port: 49962 (49962), Seq: 620, Ack: 3319, Len: 12
Source port: 82 (82)
Destination port: 49962 (49962)
Sequence number: 620 (relative sequence number)
Next sequence number: 632 (relative sequence number)
Acknowledgement number: 3319 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 31696
Checksum: 0x2227 (correct)
Data (12 bytes)

0000 0b 00 01 00 00 00 4d 01 ac 00 21 00 ......M...!.

The packet loss is systematic. I get it at each connection. I tried to set MTU to 1400, and to set mss to pmtu, but with no result.

Here is my iptable result:


[admin@wl-hdd root]$ iptables -nL -v
Chain INPUT (policy DROP 1321 packets, 64790 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
5069 446K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
288 17032 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
1783 626K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:15348 flags:0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000 flags:0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7776 flags:0x16/0x02

Chain FORWARD (policy ACCEPT 412 packets, 40730 bytes)
pkts bytes target prot opt in out source destination
213 10224 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 TCPMSS clamp to PMTU
6018 2981K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
197 9456 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.5 tcp dpt:4662
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.10 tcp dpt:82
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.10 udp dpt:82
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6112

Chain OUTPUT (policy ACCEPT 7147 packets, 1846K bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1361:65535TCPMSS set 1360

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[admin@wl-hdd root]$ iptables -t nat -nL -v
Chain PREROUTING (policy ACCEPT 1760 packets, 116K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 xx.99.x.xxx tcp dpt:4662 to:192.168.1.5:4662
132 6336 DNAT tcp -- * * 0.0.0.0/0 xx.99.x.xxx tcp dpt:443 to:192.168.1.10:82
0 0 DNAT udp -- * * 0.0.0.0/0 xx.99.x.xxx udp dpt:443 to:192.168.1.10:82
0 0 NETMAP udp -- * * 0.0.0.0/0 xx.99.x.xxx udp spt:6112 192.168.1.0/24

Chain POSTROUTING (policy ACCEPT 426 packets, 23728 bytes)
pkts bytes target prot opt in out source destination
0 0 NETMAP udp -- * * 192.168.1.0/24 0.0.0.0/0 udp dpt:6112 xx.99.x.xxx/32
324 33332 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
12 2277 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT 318 packets, 20499 bytes)
pkts bytes target prot opt in out source destination

I really don't know what to check next.

Anybody has an idea?

Thanks

hugo
13-03-2005, 12:37
found my solution. It looks like pmtu is only calculated for the router, and not for a nated connection. I had to force a MSS to 1400 in FORWARD and OUTPUT to make it work.

I don't know if this is supposed to work like this, but the clamp mss-to-pmtu doesn't work for nated connections in this case.

Oleg
13-03-2005, 12:53
hm... do you use pptp?

hugo
13-03-2005, 13:00
no, my connection is direct using pppoe.

But for you to know, the protocol used is a bit special, as the data are send in the request packet, not the response one. But still, the initial mss negiciation was always at 1460 on both side until I forced it, even with the --clamp-mss-to-pmtu parameter.

If you look at my firewall rules, I have a rule with a mss set to 1360 using this paramter but the negociation doesn't give any other result than 1460.

I've set MSS to 1400 in FORWARD and OUTPUT rules, but I think only one was needed.

Strangly enough, the airport correctly negociate the MSS to 1400 without any specific parameter.

hugo
13-03-2005, 13:30
In fact, only FORWARD rule was needed, not OUTPUT

Oleg
13-03-2005, 16:40
no, my connection is direct using pppoe.

Well, with PPPoE it should clamp to MTU-40, not the PMTU - have you manually changed iptables?

hugo
13-03-2005, 17:03
i've used the iptables command :


iptables -I FORWARD -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu

Should it be something else?

Oleg
13-03-2005, 17:26
This is the firmware default iptables settings:


-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: -j TCPMSS --set-mss 1452
-A MACS -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: -j TCPMSS --set-mss 1452