On Friday 24 March 2006 07:55, Jacob S wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Thu, 23 Mar 2006 14:35:20 -0600 > >anoop aryal <[EMAIL PROTECTED]> wrote: >> > > On Thursday 23 March 2006 10:58, Jacob S wrote: >> > > >-----BEGIN PGP SIGNED MESSAGE----- >> > > >Hash: SHA1 >> > > > >> > > >Howdy list, >> > > > >> > > >I recently changed ISPs, away from static ips on a dsl line to >> > > > a single dynamic ip on Veriz*n's new Fi*S (fiber optic) >> > > > service. The new service uses PPPoe - not a problem, or so I >> > > > thought - I have PPPoe on my firewall. >> > > > >> > > >Now, I have used PPPoe from this very same firewall on a >> > > >different dsl line before and it worked great. But for some >> > > >reason when I do PPPoe for the new fiber line only http traffic >> > > >works properly. When downloading e-mail, everything is fine >> > > >until it tries to download the mail (I see it login, get the >> > > >number of messages to download, and then it tries to start >> > > >downloading). At this point the e-mail just hangs until it >> > > >finally times out. It does not seem to be port-related, as I >> > > >have setup the e-mail server with port-forwarding rules to >> > > > allow me to download mail on non-standard ports and it >> > > > exhibits the same problem. And if I do PPPoe on the provided >> > > > D-Link router, instead of on my firewall, everything >> > > > (including e-mail) works great. >> > > > <snip> >> >> google PMTU to read about this in more detail, but it seriously >> sounds like icmp 3/4 packets are being dropped somewhere. if you >> setup your firewall to allow icmp packets of type 3/4 thru, you >> should be all set (well, you'd hope so anyway). a set of rules like >> so should do the trick: >> >> -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT >> -A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT >> -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT >> >> then, make sure you have the iputils-ping package installed (not the >> netkit-ping) and try: >> >> ping your.mail.host -c 1 -M do -s 1472 >> >> and you should get back an icmp reply saying what the mtu should be. >> subtract 28 from it and try pinging with that size and it should go >> thru. eg, if the reply says mtu = 1492, try: >> >> ping your.mail.host -c 1 -M do -s 1464 >> >> and it should go thru just fine. if you get a request timeout, that >> means that some routers are just dropping your packets without an >> icmp 3/4 message. keep reducing the size of your packet and see if >> you can get anything thru. read up on PMTU for possible solutions. >> there are ways to stop automatic PMTU discovery etc. > >Ok, things are getting stranger here. > >I ran the iptables rules you suggested and here's the ping results: > ># ping longbow.arroway.com -c 1 -M do -s 1472 >PING longbow.arroway.com (66.252.129.166) 1472(1500) bytes of data. >- From pool-71-244-52-50.dllstx.fios.verizon.net (71.244.52.50) >icmp_seq=1 Frag needed and DF set (mtu = 1492) > >- --- longbow.arroway.com ping statistics --- >0 packets transmitted, 0 received, +1 errors > ># ping longbow.arroway.com -c 1 -M do -s 1464 >PING longbow.arroway.com (66.252.129.166) 1464(1492) bytes of data. >1472 bytes from longbow.arroway.com (66.252.129.166): icmp_seq=1 > ttl=49 time=163 ms > >- --- longbow.arroway.com ping statistics --- >1 packets transmitted, 1 received, 0% packet loss, time 0ms >rtt min/avg/max/mdev = 163.150/163.150/163.150/0.000 ms > >So then I added the line >pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1464" >to /etc/ppp/peers/dsl-provider, but the problem continued. After >commenting that line back out (so that no pty... -m declaration had >been made in the dsl-provider config), I was able to sucessfully >download one single e-mail from a server. There was only one e-mail in >that account and it downloaded like normal. So I sent an e-mail to > that account, being that it was on a different server from my normal > tests, but that one would not download sucessfully. So it would seem > like it had something to do with the size and speed of the one that > downloaded properly. > >In short, it's still a no go and I have no clue why. The D-Link router >still works great, but pppoe from the firewall doesn't.
The d-link works... And does this also go thru the same iptables rules as the PPPoE? If so, then playing with iptables is only going to break something. In any event, a run of "/etc/init.d/iptables stop" (as root of course) will open things up and prove or disprove that theory. I wouldn't leave it off for very long though. If you persist in using PPPoE rather than a good router, then I believe I'd take this problem to the Roaring Penguin folks to see if they've a new version that fixes this, or can use you for a test bed to see about fixing it. >Any more clues or suggestions, anyone? > >TIA, >Jacob >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.2.2 (GNU/Linux) > >iD8DBQFEI+xfkpJ43hY3cTURApHFAJ4iBDI5kXdVEWYTH7QXjumLRDZNdwCggIKf >dM3uKlC/tn117IKyUa17/e4= >=8AOl >-----END PGP SIGNATURE----- -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
