[Gllug] Problem with new Virgin 50Mbps Modem

Alain Williams addw at phcomp.co.uk
Tue Mar 27 19:40:47 UTC 2012

On Tue, Mar 27, 2012 at 08:11:53PM +0100, James Courtier-Dutton wrote:

> Hi,
> Just so you know, the cause is a problem with their network, not yours.

Yes ... they did (eventually) admit that.

''My'' network is at a school, I have fixed the Linux servers, but there are
many other machines - including the admin block which is staunchly MS owned.

At the center of the network is a Linux box (called Hermes) with 4 ethernet
interfaces, one of which is the only connection to the Virgin modem.  I am
looking to see if I can fix it by tickling the Hermes firewall. I note the 2
items below and wonder if anyone has any experience with this ?

Below is part of the iptables man page:

       This target allows to alter the MSS value of TCP SYN packets, to
       control the maximum size for that connection  (usually  limiting
       it  to  your  outgoing interfaces MTU minus 40).  Of course, it
       can only be used in conjunction with -p tcp.  It is  only  valid
       in the mangle table.
       This  target  is  used  to overcome criminally braindead ISPs or
       servers which block  ICMP  Fragmentation  Needed  packets.   The
       symptoms  of  this  problem  are that everything works fine from
       your Linux firewall/router, but machines  behind  it  can  never
       exchange large packets:
        1) Web browsers connect, then hang with no data received.
        2) Small mail works fine, but large emails hang.
        3) ssh works fine, but scp hangs after initial handshaking.
       Workaround: activate this option and add a rule to your firewall
       configuration like:
        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

       --set-mss value
              Explicitly set MSS option to specified value.

              Automatically clamp MSS value to (path_MTU - 40).

       These options are mutually exclusive.

I also see:


> The problem you were running into is call "black hole" packets.
> This is where, if you send packets of varying sizes, some will not get through.
> What you did is work around the problem, not actually fix it.


Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list