Serban Giuroiu wrote:
Hello.
I have an OpenBSD 3.7 box set up as a router and
server for my home network. It connects to the
Internet through the kernel PPPoE driver. Naturally, I
use pf on that box. Everything runs smoothly, but
there are certain websites that do not load properly
from machines behind the NAT router.
When trying to access http://mail.yahoo.com or
http://linuxhardware.org, an initial connection is
made, but no further data comes in as the web browser
sits and waits. However, if I open those pages in lynx
from the OpenBSD box, they load without any problems.
Most other websites load correctly from all machines
on my network.
Had the very same problem.
Searching Google, I found a similar problem posted to
this list a couple years ago in which an MTU setting
and fragmentation were the cause of the strage
behavior
(http://www.monkey.org/openbsd/archive/tech/0211/msg00163.html).
Didn't found this one.
The poster added "scrub out all no-df max-mss 1452" to
his pf configuration and that fixed his problem.
As recommended in the pppoe(4) man page, I set the MSS
for the pppoe interface to 1440. I played around with
different MSS's and scrubbing out the DF bit, but my
problem remains. Does anyone know what is causing this
strange problem and how to fix it?
[snip]
As Shawn says, I installed squid as a transparent proxy trying to solve this,
but some of the sites worked, and some didn't. This is what (I think, too much
trial and error before everything worked fine) solved that problem:
scrub in all fragment reassemble random-id
scrub out on pppoe0 max-mss 1452
Just to help you testing, this is what I did with the sites that didn't opened
correctly: From the machine behind the nat that isn't working well, *telnet* to
that site on port 80, and try to get the same page writing (or pasting) the HTTP
GET command, for example: "GET / HTTP/1.0" (without quotes).
Trying that you will find that if you type wrong thing on telnet, generally,
most sites send you an error page. Funny though, it seems that some error pages
aren't big enough to "fill" a tcp packet and you get the error page fine, while
the actual page u're trying to see is so big (the html text) that the MTU/MSS
screws up.
Hope it helps,
Salu2.
Javier.
