[Gllug] Problem with new Virgin 50Mbps Modem

James Courtier-Dutton james.dutton at gmail.com
Tue Mar 27 20:20:41 UTC 2012


On 27 March 2012 20:40, Alain Williams <addw at phcomp.co.uk> wrote:
> On Tue, Mar 27, 2012 at 08:11:53PM +0100, James Courtier-Dutton wrote:
>
>> Hi,
>>
>> Just so you know, the cause is a problem with their network, not yours.
>
> Yes ... they did (eventually) admit that.
>
> ''My'' network is at a school, I have fixed the Linux servers, but there are
> many other machines - including the admin block which is staunchly MS owned.
>
> At the center of the network is a Linux box (called Hermes) with 4 ethernet
> interfaces, one of which is the only connection to the Virgin modem.  I am
> looking to see if I can fix it by tickling the Hermes firewall. I note the 2
> items below and wonder if anyone has any experience with this ?
>
> Below is part of the iptables man page:
>
>
>   TCPMSS
>       This target allows to alter the MSS value of TCP SYN packets, to
>       control the maximum size for that connection  (usually  limiting
>       it  to  your  outgoing interfaces MTU minus 40).  Of course, it
>       can only be used in conjunction with -p tcp.  It is  only  valid
>       in the mangle table.
>       This  target  is  used  to overcome criminally braindead ISPs or
>       servers which block  ICMP  Fragmentation  Needed  packets.   The
>       symptoms  of  this  problem  are that everything works fine from
>       your Linux firewall/router, but machines  behind  it  can  never
>       exchange large packets:
>        1) Web browsers connect, then hang with no data received.
>        2) Small mail works fine, but large emails hang.
>        3) ssh works fine, but scp hangs after initial handshaking.
>       Workaround: activate this option and add a rule to your firewall
>       configuration like:
>        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
>                    -j TCPMSS --clamp-mss-to-pmtu
>
>       --set-mss value
>              Explicitly set MSS option to specified value.
>
>       --clamp-mss-to-pmtu
>              Automatically clamp MSS value to (path_MTU - 40).
>
>       These options are mutually exclusive.
>
>
> I also see:
>
>    https://blue-labs.org/howto/mtu-mss.php
>
>
>> The problem you were running into is call "black hole" packets.
>> This is where, if you send packets of varying sizes, some will not get through.
>> What you did is work around the problem, not actually fix it.
>

My advice, don't touch the tcp mss values at the firewall. It fixes
the symptom for TCP packets, but does nothing for UDP packets. I.e.
Some media streaming and P2P protocols will still be broken.

Until Virgin fix their stuff, just lower the MTU on the firewall
interface next to the Virgin Hub.
This will cure the symptom for all hosts at your site.
Once Virgin fix their stuff, restore the MTU value to its default.

Good to hear they you have your own firewall.

If you are interested in why you see the symptoms you see. The main
reason is that "black hole packets" break path MTU discovery (RFC1191)

Kind Regards

James
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list