Re: Strange PPPoe problem
- From: Gene Heskett <gene.heskett@xxxxxxxxxxx>
- Date: Fri, 24 Mar 2006 11:49:56 -0500
On Friday 24 March 2006 07:55, Jacob S wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 23 Mar 2006 14:35:20 -0600
anoop aryal <aaryal@xxxxxxxxxxxxxxxx> wrote:
On Thursday 23 March 2006 10:58, Jacob S wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Howdy list,
I recently changed ISPs, away from static ips on a dsl line to
a single dynamic ip on Veriz*n's new Fi*S (fiber optic)
service. The new service uses PPPoe - not a problem, or so I
thought - I have PPPoe on my firewall.
Now, I have used PPPoe from this very same firewall on a
different dsl line before and it worked great. But for some
reason when I do PPPoe for the new fiber line only http traffic
works properly. When downloading e-mail, everything is fine
until it tries to download the mail (I see it login, get the
number of messages to download, and then it tries to start
downloading). At this point the e-mail just hangs until it
finally times out. It does not seem to be port-related, as I
have setup the e-mail server with port-forwarding rules to
allow me to download mail on non-standard ports and it
exhibits the same problem. And if I do PPPoe on the provided
D-Link router, instead of on my firewall, everything
(including e-mail) works great.
<snip>
google PMTU to read about this in more detail, but it seriously
sounds like icmp 3/4 packets are being dropped somewhere. if you
setup your firewall to allow icmp packets of type 3/4 thru, you
should be all set (well, you'd hope so anyway). a set of rules like
so should do the trick:
-A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
-A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
-A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT
then, make sure you have the iputils-ping package installed (not the
netkit-ping) and try:
ping your.mail.host -c 1 -M do -s 1472
and you should get back an icmp reply saying what the mtu should be.
subtract 28 from it and try pinging with that size and it should go
thru. eg, if the reply says mtu = 1492, try:
ping your.mail.host -c 1 -M do -s 1464
and it should go thru just fine. if you get a request timeout, that
means that some routers are just dropping your packets without an
icmp 3/4 message. keep reducing the size of your packet and see if
you can get anything thru. read up on PMTU for possible solutions.
there are ways to stop automatic PMTU discovery etc.
Ok, things are getting stranger here.
I ran the iptables rules you suggested and here's the ping results:
# ping longbow.arroway.com -c 1 -M do -s 1472
PING longbow.arroway.com (66.252.129.166) 1472(1500) bytes of data.
- From pool-71-244-52-50.dllstx.fios.verizon.net (71.244.52.50)
icmp_seq=1 Frag needed and DF set (mtu = 1492)
- --- longbow.arroway.com ping statistics ---
0 packets transmitted, 0 received, +1 errors
# ping longbow.arroway.com -c 1 -M do -s 1464
PING longbow.arroway.com (66.252.129.166) 1464(1492) bytes of data.
1472 bytes from longbow.arroway.com (66.252.129.166): icmp_seq=1
ttl=49 time=163 ms
- --- longbow.arroway.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 163.150/163.150/163.150/0.000 ms
So then I added the line
pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1464"
to /etc/ppp/peers/dsl-provider, but the problem continued. After
commenting that line back out (so that no pty... -m declaration had
been made in the dsl-provider config), I was able to sucessfully
download one single e-mail from a server. There was only one e-mail in
that account and it downloaded like normal. So I sent an e-mail to
that account, being that it was on a different server from my normal
tests, but that one would not download sucessfully. So it would seem
like it had something to do with the size and speed of the one that
downloaded properly.
In short, it's still a no go and I have no clue why. The D-Link router
still works great, but pppoe from the firewall doesn't.
The d-link works... And does this also go thru the same iptables rules
as the PPPoE?
If so, then playing with iptables is only going to break something. In
any event, a run of "/etc/init.d/iptables stop" (as root of course)
will open things up and prove or disprove that theory. I wouldn't
leave it off for very long though.
If you persist in using PPPoE rather than a good router, then I believe
I'd take this problem to the Roaring Penguin folks to see if they've a
new version that fixes this, or can use you for a test bed to see about
fixing it.
Any more clues or suggestions, anyone?
TIA,
Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEI+xfkpJ43hY3cTURApHFAJ4iBDI5kXdVEWYTH7QXjumLRDZNdwCggIKf
dM3uKlC/tn117IKyUa17/e4=
=8AOl
-----END PGP SIGNATURE-----
--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
- Follow-Ups:
- Re: Strange PPPoe problem
- From: Jacob S
- Re: Strange PPPoe problem
- References:
- Strange PPPoe problem
- From: Jacob S
- Re: Strange PPPoe problem
- From: anoop aryal
- Re: Strange PPPoe problem
- From: Jacob S
- Strange PPPoe problem
- Prev by Date: Re: Netlimiter liike tool
- Next by Date: Re: Enabling printer
- Previous by thread: Re: Strange PPPoe problem
- Next by thread: Re: Strange PPPoe problem
- Index(es):
Relevant Pages
|
