On 08/12/11 11:06, Christian Pernegger wrote:
The official method for getting one's IP is DHCP, though configuring it statically reportedly also works. I tried both, no difference. The DHCP server *does* suggest an MTU of 576 bytes instead of the ususal 1500 bytes, but that seems to be bogus. Manual PMTU discovery via don't-fragment pings to various servers is consistent with an MTU of 1500 and anyway, changing it to 576 doesn't have any appreciable effect at all, with or without a TCPMSS rule as suggested by the iptables man page.
I was going to say that this /really/ seems like an MTU / TCPMSS issue to me.
For giggles, ssh from one of the clients configuring the ssh client as a socks proxy. Then have your web browser use the ssh / socks proxy for testing. If that does work correctly, I'd still really question MTU / TCPMSS.
What happens if you clamp the MTU / TCPMSS really low just to make sure you are (way) below any thing interfering.
Have you tried running a network sniffer on any of the traffic to see what it's doing? Do you have any re-transmissions? Do you see requests that don't have associated replies?
Do the sniffs on the inside interface match the outside interface (save for the nated IP address)?
Grant. . . . -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
