ok, now this is more clear. But is this problem specific to this scenario? I mean, when I use a single machine to connect directly to the internet via bezeq ADSL , without running any iptables rules at all, using PPPOE , I should have the same problem, don't I ? Is there a solution in this case ? (remember, I cannot use this iptables "clamp-mss-to-pmtu"option as in this scenario in fact I do not use iptables at all).
Second, ifconfig ppp0 shows that the mtu is 1492. DS On Tue, Apr 20, 2010 at 1:56 PM, Shachar Shemesh <shac...@shemesh.biz> wrote: > Dan Shimshoni wrote: > > shachar, > I googled for "MSS Squashing". Got 0 results! > > What is this "MSS Squashing"? and how is it related to this issue? > > rgs, > DS > > > > > The term used in the iptables man page is "clamp-mss-to-pmtu" > > The ethernet maximal transfer unit (MTU) is 1500 bytes (more or less, but in > practice, this is the default). Since pppoe has some overhead, the effective > MTU on ppp0 is lower (about 1470 bytes). Packets sent out by your machine B > broadcast the desired packet length on the return path through a TCP option > called MSS (maximal segment size). > > Theoretically, TCP will figure out on its own that the path MTU (PMTU) is > lower than the end MTU as advertised by the MSS. This has two disadvantages: > 1. It has worse performance than advertising the correct number in the MSS > to begin with > 2. Some firewalls block the ICMP message used to report this case (code 3 > type 4 - "fragmentation needed but don't fragment set"). As a result, you > get "black hole" syndrom. > > The solution is to have iptables alter the MSS field of the TCP option to > the value it knows is correct. > > Shachar > > -- > Shachar Shemesh > Lingnu Open Source Consulting Ltd. > http://www.lingnu.com > _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
