-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/11/14 12:49, the wrote: > On 01/11/14 03:24, Mick wrote: >> On Friday 10 Jan 2014 19:42:37 Kerin Millar wrote: >>> the wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> Hello. This is the the first time I'm dealing with wifi and >>>> the second time with NAT. I have a server (access point) with >>>> a ppp0 interface (internet), eth0, wlan0, tun0 and sit0. A >>>> dhcp server is listening on wlan0 and provides local ip >>>> addresses, dns (= my isp dns) and router (= server wlan0 ip >>>> address). Nat is configured on the server like this: # >>>> Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 >>>> 2014 *raw >>>> >>>> :PREROUTING ACCEPT [1000941:974106726] :OUTPUT ACCEPT >>>> [775261:165606146] >>>> >>>> COMMIT # Completed on Fri Jan 10 21:34:26 2014 # Generated >>>> by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 *nat >>>> >>>> :PREROUTING ACCEPT [888:45008] :INPUT ACCEPT [63:9590] >>>> :OUTPUT ACCEPT [442:27137] :POSTROUTING ACCEPT [36:1728] >>>> >>>> - -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT # Completed on >>>> Fri Jan 10 21:34:26 2014 # Generated by iptables-save >>>> v1.4.20 on Fri Jan 10 21:34:26 2014 *mangle >>>> >>>> :PREROUTING ACCEPT [1000941:974106726] :INPUT ACCEPT >>>> [951658:947497602] :FORWARD ACCEPT [39262:26279024] :OUTPUT >>>> ACCEPT [775261:165606146] :POSTROUTING ACCEPT >>>> [814621:191890787] >>>> >>>> COMMIT # Completed on Fri Jan 10 21:34:26 2014 # Generated >>>> by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 *filter >>>> >>>> :INPUT ACCEPT [371:35432] :FORWARD ACCEPT [0:0] :OUTPUT >>>> ACCEPT [33994:3725352] >>>> >>>> - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - >>>> -A FORWARD -i wlan0 -o ppp0 -j ACCEPT - -A FORWARD -i ppp0 >>>> -o wlan0 -j ACCEPT - -A FORWARD -i eth0 -j DROP - -A FORWARD >>>> -i tun0 -j DROP COMMIT # Completed on Fri Jan 10 21:34:26 >>>> 2014 I have a client that connects to my wifi, obtains an >>>> address via dhcp and ... can't acces almost all of internet >>>> sites. I was able to ping any web service I could think of, >>>> but I was able to use only google/youtube. I can do text/ >>>> image serches on google and can open youtube(but videos >>>> aren't loading). On other services wget says connection >>>> established, but it can't retrieve anything. if I ssh to an >>>> external server (not my nat server) I can ls, but if I try to >>>> ls - -alh I receive only a half of the files list and the >>>> terminal hangs after that. If I do $python -m http.server on >>>> my server I can do file transfers and open html pages on my >>>> client. I have tried this >>>> https://wiki.archlinux.org/index.php/Software_Access_Point#WLAN_is_very_s >>>> >>>> > >>>> low >>>> >>>> Also I have tried to insert LOG target in FORWARD of filter. >>>> It showed that I send way more pakets(>10) to a http server >>>> than I receive(~2-4). The client is fine and behaves normally >>>> with wifi, used it many times. Thanks for your time. >>> >>> It's probable that you need to make use of MSS clamping. Try >>> the following rule: >>> >>> iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST >>> SYN -j TCPMSS --clamp-mss-to-pmtu >>> >>> --Kerin > >> This explains it: > >> http://lartc.org/howto/lartc.cookbook.mtu-mss.html > >> Is there a router somewhere (your ISP?) that does not play nice >> with PMTU Discovery? What happens if you set your ifaces to >> have an mtu or 1492 (needed to accomodate your PPPoE headers) or >> even lower like 1440, or 1380? > > Thanks you Kerin, Mick! It works like a charm. Indeed: > > ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492 > > So do I understand correctly that field of size 1500 - 1492 is > reserved for pppoe stuff? Will it also work if I set a smaller mtu > in my wlan like 1400 (assuming that the smallest mtu on the path is > not less than 1400)?
Also "Besides MTU, there is yet another way to set the maximum packet size, the so called Maximum Segment Size. This is a field in the TCP Options part of a SYN packet." Does this mean that even with this iptables rule I'll have problems with udp packets? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS0QjTAAoJEK64IL1uI2ha8hMH/Ag7Xvqso/dU3FKLZ03Lkg7v NcRXFuaFp7zF8UG9e1qkmQebLekys3b2+/9IQc7MuNBoeomuBFlkYrqRj+BmVW7G 5e/LudUfOTkzDLRYPqnFjPjNuwpwvY4Qm+eZ4WE5CsnKAJCE1kVIqZbdUDwinx5/ q6oPnF1upTqvdDnVDwAoo1GFBZDSFQQqTHDtm8Zpe1Im3bydjeqswxVLXuarliQv Yu9YpjkBBg/SFsvY+gkU3UyhwnFGKlcHRmaYF2bk6+7G+rj9RiRt6Zv0WVIpbGpJ rS+9B3HZ5uw9UDH2Mn7WFsw/mhwulWKN5iwa9P3NvsjJUfS9miYW6E+BB9FNo4A= =CfeT -----END PGP SIGNATURE-----
