Linux - Networking This forum is for any issue related to networks or networking.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
#1
Member
Registered: Jul 2007
Posts: 683
Custom-built router/wifi-AP, can ping, can't load websites.
Hello, friends.
I have a weird problem.
I am building my own home server.
I have an old machine (~2gb of RAM, Celeron 430).
It is connected to my ISP's LAN (parameters obtained via DHCPcd).
To connect to the outer world, my ISP suggests PPPoE. I use RP-PPPOE, which gives me a point-to-point "real" ip.
Then I want this machine to work as a router/AP for my home.
I have a Linksys, Realtek-based wireless card, which uses serialmonkey's rl2800 driver. I use hostapd to set up an AP in b/g/n mode.
I have no encryption turned on.
Then I use dhcpd to serve ip addresses to my wireless network. I also forward my isp's DNS ips to my wireless clients.
On the machine I have super-minimalistic NAT rules:
Code:
bash-4.1# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.3.0/24 anywhere
bash-4.1#
The weird problem is: most websites don't load! That is, I can access some even fairly heavy websites, like GMail, but most websites will hang on the "waiting" stage in Firefox.
Ping and traceroute/tracert work fine for both ips and names, from both my windows client and my linux server (this machine).
The same windows machine works well with other wireless access points.
Weird. How can I debug this system? Any suggestions?
#2
Senior Member
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian Stable
Posts: 2,546
I don't know if it makes a difference, but when I use the same command to my functioning router (wired ethernet to wired ethernet), it returns this for Chain POSTROUTING:
Code:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
The difference is that the source is not restricted to the local addresses. The iptables commands I used are:
Code:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -A FORWARD -i eth0 -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Assuming your iptables are set up properly for ipv4, my guess is that maybe there's something wrong with the ipv6 setup (which would use ip6tables rather than iptables). I haven't felt like learning ipv6 yet, so I just drop it all (for now).
But as I understand it, Windows likes to use ipv6 by default if it's available, so maybe it is trying to access various web sites via ipv6 and as a result those are the ones which are failing. Maybe?
#3
Member
Registered: Jul 2007
Posts: 683
Original Poster
Well, I turned Ipv6 off everywhere, both on my Linux router and my windows client. The problem persists.
This is how my tcpdump looks like when I try to access yahoo.com:
Code:
11:58:22.632780 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 3260670969, ack 2021147468, win 64, length 0
11:58:22.658691 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [S], seq 170027957, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:58:22.814363 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59270: Flags [S.], seq 3077166206, ack 170027958, win 8192, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0
11:58:22.899171 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [S], seq 4068100406, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:58:22.900642 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, length 0
11:58:22.901334 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [P.], seq 1:192, ack 1, win 64, length 191
11:58:23.056334 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [S.], seq 3270283911, ack 4068100407, win 8192, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0
11:58:23.057129 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59270: Flags [.], ack 192, win 62, length 0
11:58:23.058215 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59270: Flags [P.], seq 2921:4097, ack 192, win 62, length 1176
11:58:23.116298 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, options [nop,nop,sack 1 {2921:4097}], length 0
11:58:23.116345 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, length 0
11:58:23.116515 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [P.], seq 1:192, ack 1, win 64, length 191
11:58:23.258160 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 0, ack 1, win 64, length 0
11:58:23.274030 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [.], ack 192, win 62, length 0
11:58:23.275024 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [P.], seq 2921:4097, ack 192, win 62, length 1176
11:58:23.282754 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, options [nop,nop,sack 1 {2921:4097}], length 0
11:58:23.440967 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [P.], seq 5557:7001, ack 192, win 62, length 1444
11:58:23.729805 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, options [nop,nop,sack 2 {5557:7001}{2921:4097}], length 0
11:58:24.417279 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 0, ack 1, win 64, length 0
11:58:26.727884 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 0, ack 1, win 64, length 0
11:58:31.355461 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 0, ack 1, win 64, length 0
11:58:33.120558 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], seq 191:192, ack 1, win 64, length 1
11:58:33.276382 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59270: Flags [.], ack 192, win 62, options [nop,nop,sack 1 {191:192}], length 0
11:58:33.733430 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], seq 191:192, ack 1, win 64, length 1
11:58:33.892200 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [.], ack 192, win 62, options [nop,nop,sack 1 {191:192}], length 0
on the external interface (ppp0)
Code:
11:58:22.632780 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 3260670969, ack 2021147468, win 64, length 0
11:58:22.658691 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [S], seq 170027957, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:58:22.814363 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59270: Flags [S.], seq 3077166206, ack 170027958, win 8192, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0
11:58:22.899171 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [S], seq 4068100406, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:58:22.900642 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, length 0
11:58:22.901334 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [P.], seq 1:192, ack 1, win 64, length 191
11:58:23.056334 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [S.], seq 3270283911, ack 4068100407, win 8192, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0
11:58:23.057129 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59270: Flags [.], ack 192, win 62, length 0
11:58:23.058215 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59270: Flags [P.], seq 2921:4097, ack 192, win 62, length 1176
11:58:23.116298 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, options [nop,nop,sack 1 {2921:4097}], length 0
11:58:23.116345 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, length 0
11:58:23.116515 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [P.], seq 1:192, ack 1, win 64, length 191
11:58:23.258160 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 0, ack 1, win 64, length 0
11:58:23.274030 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [.], ack 192, win 62, length 0
11:58:23.275024 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [P.], seq 2921:4097, ack 192, win 62, length 1176
11:58:23.282754 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, options [nop,nop,sack 1 {2921:4097}], length 0
11:58:23.440967 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [P.], seq 5557:7001, ack 192, win 62, length 1444
11:58:23.729805 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], ack 1, win 64, options [nop,nop,sack 2 {5557:7001}{2921:4097}], length 0
11:58:24.417279 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 0, ack 1, win 64, length 0
11:58:26.727884 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 0, ack 1, win 64, length 0
11:58:31.355461 IP Strannik.ultra.net.ru.50157 > ir2.fp.vip.bf1.yahoo.com.https: Flags [F.], seq 0, ack 1, win 64, length 0
11:58:33.120558 IP Strannik.ultra.net.ru.59270 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], seq 191:192, ack 1, win 64, length 1
11:58:33.276382 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59270: Flags [.], ack 192, win 62, options [nop,nop,sack 1 {191:192}], length 0
11:58:33.733430 IP Strannik.ultra.net.ru.59271 > ir2.fp.vip.bf1.yahoo.com.https: Flags [.], seq 191:192, ack 1, win 64, length 1
11:58:33.892200 IP ir2.fp.vip.bf1.yahoo.com.https > Strannik.ultra.net.ru.59271: Flags [.], ack 192, win 62, options [nop,nop,sack 1 {191:192}], length 0
Where do these 'sack' guys come from?
#4
Member
Registered: Jul 2007
Posts: 683
Original Poster
So I did found the issue.
It's quite a famous issue called "PMTU Discovery Black Hole". (Googlable)
TLDR; solution is:
Code:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
All times are GMT -5. The time now is 05:26 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
