Hi all!
I’m having a problem with MT that I can’t wrap my brains around, especially because the same exact configuration works at another office I’m managing:
MT is connected to two ISPs through 2 ethernet interfaces, one connection tunnels into the central office and works perfectly fine (ether2), the other one is for Internet (ether3).
Since ether2 works normally, I’m not going to go into its config, the problem is with ether3:
All PCs in the inside LAN have MT as their gateway. If the request is done to the central office’s network, MT correctly routes it to ether2 and sends it through the tunnel. If the request is for adresses other than 192.168 network, MT also correctly routes it to ether3, BUT
when pinging or tracerouting the connection works just fine, it is sent out ether 3, and ping replies are received back.
when opening any page with IE, or trying telnet to an Internet host, the host gets resolved (DNS requests to outside DNS server work), initial connection to the host is made, and then it stops working. The pages do not load, the telnet connection gets disconnected.
When connecting a PC directly to the ISP’s equipment, Internet there works fine, therefore the packets get lost somewhere in MT. But why do pings work then?!?!?
Related config:
chain=srcnat src-address=192.168.11.0/24 dst-address=192.168.0.0/24
action=accept
We tried various NAT configurations, but this exact one works in the other office, while does not work in this one. I’ve experimented with src-nat to-address= and etc., nothing works. Everywhere ping goes through, but browser does not.
this problem can occur…ping uses icmp packets where as browser users tcp/http packets.. second thing that ping is small junk of packets where as http is larger packets.
problem could be with your MTU size.. try ping with larger packets n check on what packet size it gives timeout or MTU fragmentation error
Asad,
thank you for the suggestion! Unfortunately, that doesn’t seem to be the issue - the larger ping works fine, as well:
Reply from x.x.x.x: bytes=1400 time=563ms TTL=110
bg,
1400 was an example…check your ethernet interfaces MTU…and ping with that MTU..if it works..then its not an MTU problem…otherwise u can imply solution given in this thread
what kind of connection do you have to the internet (DHCP, PPPoE, PPTP)? that will determine the size of your MTU.
I think it’s your NAT rules… Which interface is your “Public” or WAN interface? if ether3 is your public interface then the configs should work fine. From your description of the problem it sounds like ether3 is the interface your hosts are connected to. If that is correct then the rule should be in-interface=ether3 (not out).
The other thing is it could be the MSS size, try lowering that using the mangle rules (I’d suggest something like 1360)
virtualmystic,
ethernet interfaces have the standard MTU 1500 set, if I try pinging with that, it replies
ping x.x.x.x -f -l 1500
Pinging x.x.x.x with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Actually, all packets above 1472 get this reply:
ping x.x.x.x -f -l 1472
Pinging x.x.x.x with 1472 bytes of data:
Reply from x.x.x.x: bytes=1472 time=563ms TTL=110
ping x.x.x.x -f -l 1473
Pinging x.x.x.x with 1473 bytes of data:
Packet needs to be fragmented but DF set.
I’ve played around with the suggestions from the link you posted, but that doesn’t seem to help either, different mss’es have to effect - DNS requests and pings go through, while pages still don’t open
wildbill442,
the Internet connection is simply an Ethernet cable plugged into a radio box, a static IP is given by the provider and the radio box doesn’t require any special configuration parameters. So it’s just a regular ethernet interface.
ether3 is the “Public”/WAN interface, so it really should work fine, but it does not.