[Voyage-linux] not all html pages are routed

Darshaka Pathirana (spam-protected)
Sat Oct 10 01:07:52 HKT 2009 

On 10/08/2009 09:09 PM, Torsten Senf wrote:
> Hi,
> 
> i used voyage linux 0.5.2 for a while. I used the
> distribution on an alix 2d3 board. The hardware with the software works
> as a router. Behind the router is one client with debian (lenny) os. On
> the router i have only two eth[01] interfaces working. eth0 connects to the
> client, eth1 connects to the internet. I have my own firewall rules with
> iptables. Everything worked fine.
> 
> Now I installed the 0.6.2 version of voyage on an other CF-Card. I use the old 
> /etc/network/interfaces file, the old ppp-peer file and also my old
> firewall skript from 0.5.2 for the 0.6.2 distribution. It seems that
> everything work, but not all html sites where routed to the client. 
> I mean I can't browse every page from the client with firefox. 
> The most pages are working but not all e.g. www.mdr.de not
> work. I installed w3m on the router and from the router i get all html
> pages. When i boot windows on the client host, the same effect
> appear, not all pages can be browsed from the client. All other network
> protocols are correct working. 
> 
> Any ideas how can I solve the problem??

Altough I use shorewall[1] to accomplish this task the base - iptables
- is the same.

[1] http://shorewall.net/

I encountered the same problems and also tried to fix it by adjusting
the MTU and MRU. Finally I found the CLAMPMSS-Option in
shorewall. Let me quote the shorewall.conf file:

# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
#    This option adds a `TCPMSS' target, which allows you to alter the
#    MSS value of TCP SYN packets, to control the maximum size for that
#    connection (usually limiting it to your outgoing interface's MTU
#    minus 40).
#
#    This is used to overcome criminally braindead ISPs or servers which
#    block ICMP Fragmentation Needed packets.  The symptoms of this
#    problem are that everything works fine from your Linux
#    firewall/router, but machines behind it can never exchange large
#    packets:
#        1) Web browsers connect, then hang with no data received.
#        2) Small mail works fine, but large emails hang.
#        3) ssh works fine, but scp hangs after initial handshaking.
# ]

Unfortunatly I have no idea where to enable "MSS to PMTU clamping" out
of shorewall but it may be the right hint.

I would also check both kernels if CONFIG_IP_NF_TARGET_TCPMSS is set.

Greetings && HTH,
 - Darsha

More information about the Voyage-linux mailing list