Modify

Opened 3 years ago

Last modified 3 years ago

#18015 new defect

Vlan with fireware port forwarding causing MTU problem

Reported by: eqsun Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: MTU VLAN FIREWALL Cc:

Description

Using PPPOE connecting to internet with MTU as 1492, local network MTU is 1500.WAN and LAN port are on the same switch but separated by VLAN.

When TCP establish from internet to local using port forwarding, incomming SYN message with MSS=1460(MTU1500) to router, router forwarding the massage to local ip, then local ip SYN ACK with MSS=1460(mtu1500 which was right), with MSS fix the SYN ACK with MSS=1452 (mtu1492) back to internet.
Without VLAN in another router with eth0(LAN) and eth1(WAN), when local ip transmit large data package>1452 through PPPOE_WAN, the router reply with ICMP DF set, so the local ip change the PMTU to 1492 and resend the package, it works fine.
But with Vlan such as using eth0.1(LAN) and eth0.2(WAN),the problem happened. From tcpdump found there is no ICMP DF message sent from the router to local ip, instead the router keeps sending the large package through PPPOE_WAN repeately which cause the hanging.

Attachments (2)

mtu_tp_good.pcap (11.5 KB) - added by eqsun 3 years ago.
mtu.pcap (11.1 KB) - added by eqsun 3 years ago.
with VLAN there is no ICMP DF sent to correct the PMTU

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by eqsun

Changed 3 years ago by eqsun

with VLAN there is no ICMP DF sent to correct the PMTU

comment:1 Changed 3 years ago by eqsun

I found the solution is to set mssfix not only for the package send outside the pppoe_wan, but also for the TCP SYNC and RST package from the pppoe_wan, as adding below command to Firewall 3:

iptables -t mangle -A mssfix -p tcp -i pppoe-wan -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu

This is because when port forwarding, the TCP SYNC is sending from internet to the router, it will not match the -o pppoe_wan, but actually the PMTU shall be set to the right figure according to the pppoe MTU capability. So the TCP link from the router to the local ip can be set to the PMTU accordingly from begining.

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.