Re: Strange PPPoe problem

On Thursday 23 March 2006 01:13 pm, Jacob S wrote:
On Thu, 23 Mar 2006 12:27:26 -0500

Gene Heskett <gene.heskett@xxxxxxxxxxx> wrote:
On Thursday 23 March 2006 10:58, Jacob S wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Howdy list,

I recently changed ISPs, away from static ips on a dsl line to a
single dynamic ip on Veriz*n's new Fi*S (fiber optic) service. The
new service uses PPPoe - not a problem, or so I thought - I have
PPPoe on my firewall.

Now, I have used PPPoe from this very same firewall on a different
dsl line before and it worked great. But for some reason when I do
PPPoe for the new fiber line only http traffic works properly. When
downloading e-mail, everything is fine until it tries to download the
mail (I see it login, get the number of messages to download, and
then it tries to start downloading). At this point the e-mail just
hangs until it finally times out. It does not seem to be
port-related, as I have setup the e-mail server with port-forwarding
rules to allow me to download mail on non-standard ports and it
exhibits the same problem. And if I do PPPoe on the provided D-Link
router, instead of on my firewall, everything (including e-mail)
works great.

Then I suggest you use it, as, provided you replace the d-link with a
linksys, something like a BEFSX41, you'll also have a very good
firewall for free AND it will all Just Work(TM). I spent 2 weeks
trying to make rp's PPPoE for linux work but like you, way too many
things just didn't work.

The security of the d-link product has been questioned at length on
the lists, and I can testify that the seimans speedstream product is
likewise rather poor, it was owned and trashed here inside of 2
weeks, with outside config access supposedly denied from the WAN
ports.

My linksys has let someone by just far enough to make a log entry as
they were being dropped by a combination of portsentry, tcpwrappers,
and iptables, 3 times in 3 years, 2 of which came from known sources
when one of vz dns servers was owned and attacked me. The third one
came from a chinese address block and didn't get any farther that the
log. For 3 years of 24/7/365 dsl service, I think thats very good
security indeed.

Thanks, but I'd rather keep playing with Linux to figure out why it's
not working

i would too. ;)

than dump more money into the problem. My solution to this
point is using my firewall as the only computer connected to the D-Link
router. It works pretty well this way, but it means I'm stuck with
their "firewall" on the router, instead of having full control from my
Linux firewall.

google PMTU to read about this in more detail, but it seriously sounds like
icmp 3/4 packets are being dropped somewhere. if you setup your firewall to
allow icmp packets of type 3/4 thru, you should be all set (well, you'd hope
so anyway). a set of rules like so should do the trick:

-A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
-A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
-A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT

then, make sure you have the iputils-ping package installed (not the
netkit-ping) and try:

ping your.mail.host -c 1 -M do -s 1472

and you should get back an icmp reply saying what the mtu should be. subtract
28 from it and try pinging with that size and it should go thru. eg, if the
reply says mtu = 1492, try:

ping your.mail.host -c 1 -M do -s 1464

and it should go thru just fine. if you get a request timeout, that means that
some routers are just dropping your packets without an icmp 3/4 message. keep
reducing the size of your packet and see if you can get anything thru. read
up on PMTU for possible solutions. there are ways to stop automatic PMTU
discovery etc.

hope it helps.

anoop.



Jacob

--


anoop
aaryal@xxxxxxxxxxxxxxxx


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: Strange PPPoe problem
    ... have PPPoe on my firewall. ... until it tries to download the mail (I see it login, ... sounds like icmp 3/4 packets are being dropped somewhere. ... firewall on the mail server is causing icmp 3/4s from reaching the mail ...
    (Debian-User)
  • Re: Strange PPPoe problem
    ... PPPoe on my firewall. ... I have used PPPoe from this very same firewall on a different ... dsl line before and it worked great. ... downloading e-mail, everything is fine until it tries to download the ...
    (Debian-User)
  • Re: Strange PPPoe problem
    ... PPPoe on my firewall. ... I have used PPPoe from this very same firewall on a different dsl ... mail (I see it login, get the number of messages to download, and then ...
    (Debian-User)
  • Re: Strange PPPoe problem
    ... The new service uses PPPoe - not a problem, ... thought - I have PPPoe on my firewall. ... until it tries to download the mail (I see it login, ... sounds like icmp 3/4 packets are being dropped somewhere. ...
    (Debian-User)
  • Strange PPPoe problem
    ... away from static ips on a dsl line to a single ... uses PPPoe - not a problem, or so I thought - I have PPPoe on my ... I have used PPPoe from this very same firewall on a different dsl ... mail (I see it login, get the number of messages to download, and then ...
    (Debian-User)