Whole document tree
7.15. ( MTU ) - IP MASQ seems to be working fine but some sites don't work. This usually happens with WWW and FTP.
There are two possible reasons for this. The first one is VERY common and the second is very UNCOMMON.
As of the 2.0.38 and 2.2.9+ Linux kernels, there is a debatable BUG in the Masquerade code.
Some users point their finger to the fact that IPMASQ might have problems with packets that have the DF or "Don't Fragment" bit set. Basically, when a MASQ box connects to the Internet with an MTU of anything less than 1500, some packets would have the DF field set. Though changing the MTU 1500 on the Linux box will seemingly fix the problem, the possible bug is still there. What is believed to be happening is that the MASQ code is not properly re-writing the return ICMP packets with the ICMP 3 Sub 4 code back to the originating MASQed computer. Because of this, the packets get dropped.
Other users point their finger at the adminstrators of the remote sites (typically SSL connected sites, etc) and say that because they are filtering ALL FORMS of ICMP (including Type4 - Fragmentation Needed) messages in a fray of security paranoia, they are breaking the fundamental aspects of the TCP/IP protocol.
Both arguments have valid points and users from each camp continue to debate this down to this day. If you are a network programmer and you think you can either fix or surmise this.. PLEASE TRY! For more details, check out this following MTU Thread from the Linux-Kernel list.
No worries though. A perfectly good way to bypass this is to change your Internet link's MTU to 1500. Now some users will balk at this because it can hurt some latency specific programs like TELNET and games but the impact is only slight. On the other hand, most HTTP and FTP traffic will SPEED UP!
[ -- If you have a PPPoE connection for your DSL/Cablemodem or choose not to change the MTU to 1500, see below for a different solution. -- ]
To fix this, first see what your current MTU for your Internet link is. To do so, run "/bin/ifconfig". Now look at the lines that corresponds to your Internet connection and look for the MTU. This NEEDs to be set to 1500. Usually, Ethernet links will default to 1500 but serial PPP links will default to 576.
7.15.1. Changing the MTU of a PPP link:
To fix the MTU issue on your PPP link, edit your /etc/ppp/options file and towards the top, add the following text on two seperate lines: "mtu 1500" and "mru 1500". Save these new changes and then restart PPP. Like above, again verify that your PPP link has the correct MTU and MTU.
To fix the MTU issue on a standard Ethernet link to your bridged or routed DSL, Cablemodem, etc. connection, you need to edit the correct network startup scripts for your Linux distribution. Please see the TrinityOS - Section 16 document for network optimizations.
7.15.2. Old UNIX Serial interfaces:
Lastly, though this isn't a common problem, some users have found the solution to the following problem. With PPP users, verify what port is your PPPd code connecting to. Is it a /dev/cua* port or a /dev/ttyS* port? It NEEDS to be a /dev/ttyS* port. The cua style is OLD and it breaks some things in very odd ways.
7.15.3. PPPoE Users:
For those users who use PPPoE (this has a maximum MTU of 1490) or for those users who choose NOT to use an MTU of 1500, not is all lost. If you reconfigure ALL of your MASQed PCs to use the SAME MTU as your external Internet link's MTU, everything should work fine. It should be noted that some PPPoE ISPs might require an MTU of 1460 for proper connectivity.
How would you do this? Follow these simple steps for your respective operating system.
The follow examples utilizes an MTU of 1490 for typical PPPoE connections for some DSL and Cablemodem users. It is recommended to use the HIGHEST values possible for all connections that are 128Kb/s and faster.
The only real reason to use smaller MTUs is to lower latency but at the cost of throughput. Please see:
http://www.ecst.csuchico.edu/~dranch/PPP/ppp-performance.html#mtu
for more details on this topic.
*** If you have had SUCCESS, FAILURE, or have procedures for OTHER operating *** systems, please email David Ranch. Thanks!
7.15.4. Linux:
------------------------------------------
1. The setting of MTU can vary from Linux distribution to distribution.
For Redhat: You need to edit the various "ifconfig" statements in
the /sbin/ifup script
For Slackware: You need to edit the various "ifconfig" statements in
the /etc/rc.d/rc1.inet
2. Here is one good, any-distribution-will-work example, edit the
/etc/rc.d/rc.local file and put the following at the END of the file:
echo "Changing the MTU of ETH0"
/sbin/ifconfig eth0 mtu 1490
Replace "eth0" with the interface name that is the machine's upstream
connection which is connected to the Internet.
3. For advanced options like "TCP Receive Windows" and such, detailed examples
on how to edit the respective networking scripts for your specific Linux
distro, etc., please see Chapter 16 of
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos
------------------------------------------ |
7.15.5. MS Windows 95:
------------------------------------------
1. Making ANY changes to the Registry is inheritantly risky but
with a backup copy, you should be safe. Proceed at your OWN RISK.
2. Goto Start-->Run-->RegEdit
3. You should make a backup copy of your Registry before continuing. To
do this, copy the "user.dat" and "system.dat" files from the \WINDOWS
directory and put them into a safe place. It should be noted that the
previously mentioned method of using "Regedit: Registry-->Export Registry
File-->Save a copy of your registry" would only do Registry MERGES and NOT
do a replacement.
4. Search through each of the Registry trees that end in "n" (e.g. 0007)
and have a Registry entry called "IPAddress", which has the IP address
of your NIC. Under that key, add the following:
From http://support.microsoft.com/support/kb/articles/q158/4/74.asp
[Hkey_Local_Machine\System\CurrentControlset\Services\Class\NetTrans\000n]
type=DWORD
name="MaxMTU" (Do NOT include the quotes)
value=1490 (Decimal) (Do NOT include the text "(Decimal)")
type=DWORD
name="MaxMSS" (Do NOT include the quotes)
value=1450 (Decimal) (Do NOT include the text "(Decimal>")
5. You can also change the "TCP Receive Window" which sometimes
increases network performance SUBSTANTIALLY. If you notice your
throughput has DECREASED, put these items BACK to their original
settings and reboot.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP]
type=DWORD
name="DefaultRcvWindow" (Do NOT include the quotes)
value=32768 (Decimal) (Do NOT include the text "(Decimal>")
type=DWORD
name="DefaultTTL" (Do NOT include the quotes)
value=128 (Decimal) (Do NOT include the text "(Decimal>")
6. Reboot to let the changes take effect.
------------------------------------------ |
7.15.6. MS Windows 98:
------------------------------------------
1. Making ANY changes to the Registry is inheritantly risky but
with a backup copy, you should be safe. Proceed at your OWN RISK.
2. Goto Start-->Run-->RegEdit
3. You should make a backup copy of your Registry before doing anything. To
do this, copy the "user.dat" and "system.dat" files from the \WINDOWS
directory and put them into a safe place. It should be noted that the
previously mentioned method of using "Regedit: Registry-->Export Registry
File-->Save a copy of your registry" would only perform Registry MERGES
and NOT do a replacement.
4. Search though each of the Registry trees that end in "n" (e.g. 0007)
and have a Registry entry called "IPAddress" which has the IP address
of your NIC. Under that key, add the following:
From http://support.microsoft.com/support/kb/articles/q158/4/74.asp
[Hkey_Local_Machine\System\CurrentControlset\Services\Class\NetTrans\000n]
type=STRING
name="MaxMTU" (Do NOT include the quotes)
value=1490 (Decimal) (Do NOT include the text "(Decimal)")
5. You can also change the "TCP Receive Window" which sometimes
increases network performance SUBSTANTIALLY. If you notice your
throughput has DECREASED, put these items BACK to their original
settings and reboot.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP]
type=STRING
name="DefaultRcvWindow" (Do NOT include the quotes)
value=32768 (Decimal) (Do NOT include the text "(Decimal>")
type=STRING
name="DefaultTTL" (Do NOT include the quotes)
value=128 (Decimal) (Do NOT include the text "(Decimal>")
6. Reboot to let the changes take effect.
------------------------------------------ |
7.15.7. MS Windows NT 4.x
------------------------------------------
1. Making ANY changes to the Registry is inheritantly risky but
with a backup copy, you should be safe. Proceed at your
OWN RISK.
2. Goto Start-->Run-->RegEdit
3. Registry-->Export Registry File-->Save a copy of your registry
to a reliable place
4. Create the following keys in the Registry trees, choose two
possible Registry trees. Multiple entries are for various
network devices like DialUp Networking (ppp), Ethernet NICs,
PPTP VPNs, etc.
http://support.microsoft.com/support/kb/articles/Q102/9/73.asp?LN=EN-US&SD=gn&FR=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Parameters\Tcpip]
and
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Adapter-name>\Parameters\Tcpip]
Replace "<Adapter-Name>" with the respective name of your uplink LAN NIC
interface
type=DWORD
name="MTU" (Do NOT include the quotes)
value=1490 (Decimal) (Do NOT include the text "(Decimal>")
(Do NOT include the quotes)
*** If you know how to also change the MSS, TCP Window Size, and the
*** TTL parameters in NT 4.x, please email dranch@trinnet.net as I
*** would love to add it to the HOWTO.
5. Reboot to make the changes take effect.
------------------------------------------ |
7.15.8. MS Windows 2000
------------------------------------------
1. Making ANY changes to the Registry is inheritantly risky but
with a backup copy, you should be safe. Proceed at your
OWN RISK.
2. Goto Start-->Run-->RegEdit
3. Registry-->Export Registry File-->Save a copy of your registry
to a reliable place
4. Navigate down to the key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\<ID for Adapter>
Each ID Adapter has default keys for DNS, TCP/IP address, Default Gateway,
subnet mask, etc. Find the key one that is for your network card.
5. Create the following Entry:
type=DWORD
name="MTU" (Do NOT include the quotes)
value=1490 (Decimal) (Do NOT include the text "(Decimal)")
http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LN=EN-US&SD=gn&FR=0
*** If you know how to also change the MSS, TCP Window Size, and the
*** TTL parameters in NT 2000, please email dranch@trinnet.net as I
*** would love to add it to the HOWTO.
5. Reboot to let the changes take effect.
------------------------------------------ |
As stated above, if you know how to make similar changes like these to other OSes like OS/2, MacOS, etc. please email David Ranch so it can be included in the HOWTO.