Can't get to all sites using nat router?

Moloko · 01-20-2005, 05:42 PM

I'm behind a nat router (server with iptables) and 99% of the connectivity works just fine, but I can't get to some sites. Slashdot.org and www.devx.com don't show up in the browser??

I checked the routing, the firewall, the interfaces, resolv.conf, hosts files etc., but I can't find anything wrong. As I said, except for the mentioned sites everything works just fine. I can surf all I want, stream audio, use ssh and the lot.

Where's the catch?

azrael808 · 01-20-2005, 06:13 PM

Can you ping these web addresses? If you can't get a reply, it maybe because they don't respond to pings, but you should still be able to see the IP address resolved from the URL.

I can't think off the top of my head why you can't access certain sites.

Pete

Moloko · 01-20-2005, 06:18 PM

Pings do get rejected with slashdot, but it's ip does show up.

leonscape · 01-20-2005, 06:18 PM

Could be an ECN problem?

ECN website detailing problems

Moloko · 01-20-2005, 06:39 PM

I can visit the 'hall-of-shame' sites just fine, so I guess not.

leonscape · 01-20-2005, 06:54 PM

You sometimes don't have to be visiting the sites, just pass through a router somewhere that doesn't handle ECN properly.

less /proc/sys/net/ipv4/tcp_ecn

Will either be 1 or 0 for on or off. You can turn it off with

echo 0 > /proc/sys/net/ipv4/tcp_ecn

and retry accessing the sites if it was on. Its worth a try anyway.

Moloko · 01-20-2005, 07:02 PM

It's off.

Moloko · 01-20-2005, 07:04 PM

Hmm, it gets more interesting, Konqueror works, Firefox doesn't. I think I'll figure it out. At least it's not my home-cooked router

Moloko · 01-20-2005, 07:09 PM

Relay that, slashdot works in Konqi, devx.com doesn't. I'll be digging for leftovers from the previous configuration as I was connected to the internet directly at first using the workstation and not the server.

Moloko · 01-20-2005, 07:28 PM

Slashdot worked for one page in Konq, now it doesn't anymore. I'm going nuts here...

Moloko · 01-21-2005, 07:07 AM

A quick test with Knoppix gives the same results on the workstation. Running tcpdump on the external interface on the server does show traffic, but nothing shows up in the browser on the workstation.

I can reach slashdot on the server with lynx, so apparantly something goes wrong when translating the source with nat. It's very strange that most sites do work, but some don't. Any clues?

Moloko · 01-21-2005, 03:56 PM

It's in the Maximum Transfer Unit, MTU. The default setting of 1492 or even 1500 doesn't work well with NAT when connected with pppoe. Decreasing to 1452 works.

WolfCub · 01-28-2005, 07:30 PM