Since I’ve setup my linux router, I noticed that some websites weren’t available anymore. The connection was established, sometimes I could even get small pages (ie. redirect pages), but most of the time, the interesting pages didn’t work.
Searching on internet helped me to suspect packet size. If the remote site was sending packets which are too big, they would get dropped, with an icmp reply saying “make things smaller, man” (in computer terms).
However, for some reason it may not work, if icmp packets are dropped, or if anything like this happens.
The symptom in my case was simple. I could access everything from the router itself, but from client computers, connection was hanging forever without data coming… Some tcpdump showed me that the mss (requested max packet size) value in the initial SYN connection packet sent by my router was 1414 while the one sent when the connection came from a client computer was 1460. That’s a 46 bytes difference. Knowing that networking in Japan is not the same as what I’m used to (for example, the VHDSL modem I use to connect to Internet also provides IPv6 directly, while IPv4 is obtained through PPPoE ; I suspect pppoe in fact transits through ipv6), I decided to change the value of mss in the connection packets.
Easier said than done, setting the MTU on ppp0 or changing mss in route didn’t have any impact on the data sent.
When nothing works, it’s time to use iptables for some dirty work:
iptables -I FORWARD 1 -o ppp0 -p tcp -j TCPMSS --tcp-flags syn,fin,ack syn --set-mss 1414
For all forwarded tcp SYN packets to interface ppp0, I set the mss to 1414… and guess what? It works. I can finally access websites that didn’t work. Strange workaround, and something I didn’t think I would ever have to do… well… life is weird.
