There are two possible reasons for this. The first one is VERY common and the
second is very UNCOMMON.
As of the 2.0.38 and 2.2.9+ Linux kernels, there is a debatable BUG in the
Masquerade code.
Some users point their finger to the fact that IPMASQ might have problems with
packets that have the DF or "Don't Fragment" bit set. Basically, when a MASQ
box connects to the Internet with an MTU of anything less than 1500, some
packets would have the DF field set. Though changing the MTU 1500 on the Linux
box will seemingly fix the problem, the possible bug is still there. What is
believed to be happening is that the MASQ code is not properly re-writing the
return ICMP packets with the ICMP 3 Sub 4 code back to the originating MASQed
computer. Because of this, the packets get dropped.
Other users point their finger at the adminstrators of the remote sites
(typically SSL connected sites, etc) and say that because they are filtering ALL
FORMS of ICMP (including Type4 - Fragmentation Needed) messages in a fray of
security paranoia, they are breaking the fundamental aspects of the TCP/IP
protocol.
Both arguments have valid points and users from each camp continue to debate
this down to this day. If you are a network programmer and you think you can
either fix or surmise this.. PLEASE TRY! For more details, check out this
following
MTU Thread from the Linux-Kernel list.
No worries though. A perfectly good way to bypass this is to change your
Internet link's MTU to 1500. Now some users will balk at this because it can
hurt some latency specific programs like TELNET and games but the impact is
only slight. On the other hand, most HTTP and FTP traffic will SPEED UP!
[ -- If you have a PPPoE connection for your DSL/Cablemodem or choose not to
change the MTU to 1500, see below for a different solution. -- ]
To fix this, first see what your current MTU for your Internet link is. To do
so, run "/bin/ifconfig". Now look at the lines that corresponds to your
Internet connection and look for the MTU. This NEEDs to be set to 1500.
Usually, Ethernet links will default to 1500 but serial PPP links will default
to 576.
To fix the MTU issue on your PPP link, edit your /etc/ppp/options file and
towards the top, add the following text on two seperate lines: "mtu 1500"
and "mru 1500". Save these new changes and then restart PPP. Like above,
again verify that your PPP link has the correct MTU and MTU.
To fix the MTU issue on a standard Ethernet link to your bridged or routed DSL,
Cablemodem, etc. connection, you need to edit the correct network startup
scripts for your Linux distribution. Please see the
TrinityOS - Section 16
document for network optimizations.
Lastly, though this isn't a common problem, some users have found the solution
to the following problem. With PPP users, verify what port is your PPPd code
connecting to. Is it a /dev/cua* port or a /dev/ttyS* port? It NEEDS to be
a /dev/ttyS* port. The cua style is OLD and it breaks some things in very odd
ways.
For those users who use PPPoE (this has a maximum MTU of 1490) or for those
users who choose NOT to use an MTU of 1500, not is all lost. If you reconfigure
ALL of your MASQed PCs to use the SAME MTU as your external Internet link's
MTU, everything should work fine. It should be noted that some PPPoE ISPs
might require an MTU of 1460 for proper connectivity.
How would you do this? Follow these simple steps for your respective operating
system.
The follow examples utilizes an MTU of 1490 for typical PPPoE connections for
some DSL and Cablemodem users. It is recommended to use the HIGHEST values
possible for all connections that are 128Kb/s and faster.
The only real reason to use smaller MTUs is to lower latency but at the cost
of throughput. Please see:
------------------------------------------
1. The setting of MTU can vary from Linux distribution to distribution.
For Redhat: You need to edit the various "ifconfig" statements in
the /sbin/ifup script
For Slackware: You need to edit the various "ifconfig" statements in
the /etc/rc.d/rc1.inet
2. Here is one good, any-distribution-will-work example, edit the
/etc/rc.d/rc.local file and put the following at the END of the file:
echo "Changing the MTU of ETH0"
/sbin/ifconfig eth0 mtu 1490
Replace "eth0" with the interface name that is the machine's upstream
connection which is connected to the Internet.
3. For advanced options like "TCP Receive Windows" and such, detailed examples
on how to edit the respective networking scripts for your specific Linux
distro, etc., please see Chapter 16 of
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos
------------------------------------------
------------------------------------------
1. Making ANY changes to the Registry is inheritantly risky but
with a backup copy, you should be safe. Proceed at your OWN RISK.
2. Goto Start-->Run-->RegEdit
3. You should make a backup copy of your Registry before continuing. To
do this, copy the "user.dat" and "system.dat" files from the \WINDOWS
directory and put them into a safe place. It should be noted that the
previously mentioned method of using "Regedit: Registry-->Export Registry
File-->Save a copy of your registry" would only do Registry MERGES and NOT
do a replacement.
4. Search through each of the Registry trees that end in "n" (e.g. 0007)
and have a Registry entry called "IPAddress", which has the IP address
of your NIC. Under that key, add the following:
From http://support.microsoft.com/support/kb/articles/q158/4/74.asp
[Hkey_Local_Machine\System\CurrentControlset\Services\Class\NetTrans\000n]
type=DWORD
name="MaxMTU" (Do NOT include the quotes)
value=1490 (Decimal) (Do NOT include the text "(Decimal)")
type=DWORD
name="MaxMSS" (Do NOT include the quotes)
value=1450 (Decimal) (Do NOT include the text "(Decimal>")
5. You can also change the "TCP Receive Window" which sometimes
increases network performance SUBSTANTIALLY. If you notice your
throughput has DECREASED, put these items BACK to their original
settings and reboot.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP]
type=DWORD
name="DefaultRcvWindow" (Do NOT include the quotes)
value=32768 (Decimal) (Do NOT include the text "(Decimal>")
type=DWORD
name="DefaultTTL" (Do NOT include the quotes)
value=128 (Decimal) (Do NOT include the text "(Decimal>")
6. Reboot to let the changes take effect.
------------------------------------------
------------------------------------------
1. Making ANY changes to the Registry is inheritantly risky but
with a backup copy, you should be safe. Proceed at your OWN RISK.
2. Goto Start-->Run-->RegEdit
3. You should make a backup copy of your Registry before doing anything. To
do this, copy the "user.dat" and "system.dat" files from the \WINDOWS
directory and put them into a safe place. It should be noted that the
previously mentioned method of using "Regedit: Registry-->Export Registry
File-->Save a copy of your registry" would only perform Registry MERGES
and NOT do a replacement.
4. Search though each of the Registry trees that end in "n" (e.g. 0007)
and have a Registry entry called "IPAddress" which has the IP address
of your NIC. Under that key, add the following:
From http://support.microsoft.com/support/kb/articles/q158/4/74.asp
[Hkey_Local_Machine\System\CurrentControlset\Services\Class\NetTrans\000n]
type=STRING
name="MaxMTU" (Do NOT include the quotes)
value=1490 (Decimal) (Do NOT include the text "(Decimal)")
5. You can also change the "TCP Receive Window" which sometimes
increases network performance SUBSTANTIALLY. If you notice your
throughput has DECREASED, put these items BACK to their original
settings and reboot.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP]
type=STRING
name="DefaultRcvWindow" (Do NOT include the quotes)
value=32768 (Decimal) (Do NOT include the text "(Decimal>")
type=STRING
name="DefaultTTL" (Do NOT include the quotes)
value=128 (Decimal) (Do NOT include the text "(Decimal>")
6. Reboot to let the changes take effect.
------------------------------------------
------------------------------------------
1. Making ANY changes to the Registry is inheritantly risky but
with a backup copy, you should be safe. Proceed at your
OWN RISK.
2. Goto Start-->Run-->RegEdit
3. Registry-->Export Registry File-->Save a copy of your registry
to a reliable place
4. Create the following keys in the Registry trees, choose two
possible Registry trees. Multiple entries are for various
network devices like DialUp Networking (ppp), Ethernet NICs,
PPTP VPNs, etc.
http://support.microsoft.com/support/kb/articles/Q102/9/73.asp?LN=EN-US&SD=gn&FR=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Parameters\Tcpip]
and
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Adapter-name>\Parameters\Tcpip]
Replace "<Adapter-Name>" with the respective name of your uplink LAN NIC
interface
type=DWORD
name="MTU" (Do NOT include the quotes)
value=1490 (Decimal) (Do NOT include the text "(Decimal>")
(Do NOT include the quotes)
*** If you know how to also change the MSS, TCP Window Size, and the
*** TTL parameters in NT 4.x, please email dranch@trinnet.net as I
*** would love to add it to the HOWTO.
5. Reboot to make the changes take effect.
------------------------------------------
------------------------------------------
1. Making ANY changes to the Registry is inheritantly risky but
with a backup copy, you should be safe. Proceed at your
OWN RISK.
2. Goto Start-->Run-->RegEdit
3. Registry-->Export Registry File-->Save a copy of your registry
to a reliable place
4. Navigate down to the key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\<ID for Adapter>
Each ID Adapter has default keys for DNS, TCP/IP address, Default Gateway,
subnet mask, etc. Find the key one that is for your network card.
5. Create the following Entry:
type=DWORD
name="MTU" (Do NOT include the quotes)
value=1490 (Decimal) (Do NOT include the text "(Decimal)")
http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LN=EN-US&SD=gn&FR=0
*** If you know how to also change the MSS, TCP Window Size, and the
*** TTL parameters in NT 2000, please email dranch@trinnet.net as I
*** would love to add it to the HOWTO.
5. Reboot to let the changes take effect.
------------------------------------------
As stated above, if you know how to make similar changes like these to other
OSes like OS/2, MacOS, etc. please email David Ranch so it can be included in the HOWTO.