netbsd-help: Re: Network proxies; NAT

Subject: Re: Network proxies; NAT
To: Rick Byers <rb-netbsd@BigScaryChildren.net>
From: Richard Rauch <rauch@rice.edu>
List: netbsd-help
Date: 12/06/2001 12:27:02
> > You mention that -current has a more recent version of ipf/ipnat.  Would
> > updating my own system be likely to help?  I was going to put -current on
> > my gateway anyway, and try letting it track -current.  (If the gateway
> > dies a horrible death, I can always reinstall it---and I have backup
> > access via my office should it be down for a protracted period; (^&)
> >
> > If there's some hope that I'd benefit from updating my gateway machine,
> > then I'll table my ftp/www concerns for now...
>
> Yes, updating your ipfilter to atlest 3.4.16 by either upgrading to
> -current, or just upgrading ipfilter manually (see the FAQ at

I dropped in a -current kernel (snapshot from Dec. 1).  It seemed to have
trouble with my old LinkSys (err, DLink? I forget which) ethernet card
with the ``Lite-On'' Tulip clone chipset.  I'm not entirely sure, and in
the blur of tweaks & twiddles, I don't remember enough details to say what
I saw.  (I'll definitely get back to it; I'd like to run -current on the
gateway, and resolving that ethernet problem will be an essential
road-block.  (^&)

Upgrading ipfilter manually may be the answer...


> However, as an interim solution you can avoid getting fragments from
> ftp/www.netbsd.org by artificially lowering your MSS and/or by working
> around the bug w.r.t. TCP options.

Can you define MSS for me?


> What PPPoE software are you using?  Due to broken networks (PMTUD
> blackhole problem - see my recent thread on tech-net about a patch for
> limiting the TCP MSS), I suggest you make sure you are "clamping" your TCP

I remember seeing a thred about TCP MSS and PPPoE.  (I'm using
mouse-pppoe; I picked it somewhat at random.  It mostly works as I'd
expect, except that I have to manually set the default route, even though
I've put defaultroute in the /etc/ppp/options file (other options in there
are picked up and processed correctly).)

Unfortunately, mouse-pppoe has essentially no documentation with it.  (^&


> Does this make any sense?  I know its confusing, there are a lot of

If I fuzzily replace ``MSS'' with ``something like MTU'', yes, it
basically makes sense.  (^&


> problems all interacting here...  Its unfortunant that, since most of the
> world is connected to the net over a 1500 mtu link, people with a lower
> MTU discover (and have to deal with) the bugs :)

I've never had a problem before---but then, I didn't use NAT before.  (^&


(Oh, and thanks to you, Manuel, and others for assistance so far.  It is
very much appreciated, even if my problem isn't solved yet.)


  ``I probably don't know what I'm talking about.'' --rauch@math.rice.edu