Re: DF (Don't frag) issues

From: Matthew Sullivan <matthew_at_uq.edu.au>
Date: Wed, 20 Apr 2005 21:36:01 +1000
I'm going to post this back to the list as Marko was also helping me get
to the bottom of it...

David Malone wrote:

>On Tue, Apr 19, 2005 at 07:29:18AM +1000, Matthew Sullivan wrote:
>  
>
>>Any reason why FreeBSD 5.2.1+ and 5.3-p9 set DF on all packets?
>>    
>>
>
>It is usual to do this to do path MTU discovery with TCP. I don't
>know what the situation with the packets that the VPN sends is.
>
>  
>
>>example with dominator [203.15.51.36] MTU at 1500, vpn server is at 
>>203.15.51.36 (all interfaces are MTU 1500 except gif0 which is 1280), 
>>other end of the VPN has interfaces at MTU 1500 which serices the 
>>10.200.254.0 network (wireless)....
>>
>>23:36:23.577880 203.15.51.36.24 > 10.200.254.98.33118: . 2315:3763(1448) 
>>ack 2537 win 33304 <nop,nop,timestamp 45880385 1548984> (DF) [tos 0x10]
>>23:36:23.578406 203.15.51.61 > 203.15.51.36: icmp: 10.200.254.98 
>>unreachable - need to frag (DF)
>>    
>>
>
>It looks like 203.15.51.61 is asking the vpn server to fragment
>some packet. I guess that the packet is a encrypted version of the
>TCP packet above? I guess that means that either the vpn server
>needs to not set the DF bit, or it needs to translate the ICMP
>message into something that it can return to the TCP sender. How
>to do that probably depends on how you configure the vpn stuff. The
>gif man page says that the DF bit should not be set on the packets
>that it generates.
>  
>
IP addresses involved are:

203.15.51.58 is the webserver (desperado.sorbs.net)
203.15.51.36 is the Old DB server (dominator.sorbs.net)
203.15.51.61 is the VPN terminator (stealth.sorbs.net)
10.200.254.2 is the other end of the VPN (oblivion.isux.com)
10.200.254.98 is my laptop running Slackware Linux, for the dump below I 
used wget to do a simple GET /

FreeBSD oblivion.isux.com 5.3-RELEASE-p8 FreeBSD 5.3-RELEASE-p8 #4: Sun Apr 
17 09:55:22 EST 2005 
root_at_oblivion.isux.com:/usr/obj/usr/src/sys/OBLIVION  i386
FreeBSD stealth.sorbs.net 5.3-RELEASE-p8 FreeBSD 5.3-RELEASE-p8 #1: Fri Apr 
15 15:31:30 EST 2005 root_at_stealth.sorbs.net:/usr/obj/usr/src/sys/STEALTH  i386
FreeBSD desperado.sorbs.net 5.3-RELEASE-p9 FreeBSD 5.3-RELEASE-p9 #3: Fri 
Apr 15 15:29:29 EST 2005 
root_at_desperado.sorbs.net:/usr/obj/usr/src/sys/DESPERADO  amd64

Network is like this (view with fixed font):

           10.200.254.98
                 ^
                 |
            wireless net
                 |
                 |
           10.200.254.2
            192.168.1.2 -----> wired LAN -----
          138.130.dynamic                    |
                 |     ^               192.168.1.0/24
              default  |
                 |     |
                \|/   VPN
          _______|_____|___
                       |
              INTERNET |
          _____________|___
                 |     |
                /|\   VPN
                 |     |
           203.101.254.30 <-----------
                 ^                   |
                 |                  VPN
                 |                   |
           203.101.254.254          /|\
            203.15.51.33             |
                 ^                  VPN
                 |                   |
              default                |
               route             VPN Server
                 |             203.101.254.252
                 |              203.15.51.61
                 |                   |     ^
     -----203.15.51.32/27-------------     |
     |                     |               |
     |                     |               |
203.15.51.58         203.15.51.36         |
     |                     |               |
     |                     |               |
     -->Route for 10.200.254.0/24-----------
              and 192.168.1.0/24

I hope that makes sense ;-)

Basically the current default route is the old firewall, it is being 
replaced by the server that is also the VPN server.

The VPN terminator (stealth.sorbs.net) is going to be a firewall, however it 
isn't a firewall yet, therefor the current rules are a simple:

pass in from any to any
pass out from any to any

(ipf enabled, ipfw not compiled in, pf not enabled)


Follows is a tcpdump from the VPN terminator:

root_at_stealth:~# tcpdump -i dc0 -n host 203.15.51.58
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes
21:29:41.026070 arp who-has 203.15.51.58 tell 203.15.51.36
21:29:46.454576 IP 10.200.254.98.33080 > 203.15.51.58.80: SWE
2722075077:2722075077(0) win 5840 <mss 1460,sackOK,timestamp 1028974 
0,nop,wscale 0>
21:29:46.454705 IP 203.15.51.58.80 > 10.200.254.98.33080: S 
1200777202:1200777202(0) ack 2722075078 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp 367292134 1028974,nop,nop,sackOK>
21:29:46.495554 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 
<nop,nop,timestamp 1028979 367292134>
21:29:50.721228 IP 10.200.254.98.33080 > 203.15.51.58.80: P 1:17(16) ack 1 
win 5840 <nop,nop,timestamp 1029400 367292134>
21:29:50.820112 IP 203.15.51.58.80 > 10.200.254.98.33080: . ack 17 win 33304 
<nop,nop,timestamp 367296606 1029400>
21:29:50.863489 IP 10.200.254.98.33080 > 203.15.51.58.80: P 17:21(4) ack 1 
win 5840 <nop,nop,timestamp 1029416 367296606>
21:29:50.865526 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 
21 win 33304 <nop,nop,timestamp 367296652 1029416>
21:29:50.865538 IP 203.15.51.58.80 > 10.200.254.98.33080: P 1449:1880(431) 
ack 21 win 33304 <nop,nop,timestamp 367296652 1029416>
21:29:50.865547 IP 203.15.51.58.80 > 10.200.254.98.33080: F 1880:1880(0) ack 
21 win 33304 <nop,nop,timestamp 367296652 1029416>
21:29:50.866097 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
21:29:50.929844 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 
<nop,nop,timestamp 1029420 367296606,nop,nop,sack sack 1 {1449:1880} >
21:29:50.935786 IP 10.200.254.98.33080 > 203.15.51.58.80: . ack 1 win 5840 
<nop,nop,timestamp 1029420 367296606,nop,nop,sack sack 1 {1449:1881} >
21:29:57.175022 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 
21 win 33304 <nop,nop,timestamp 367303115 1029420>
21:29:57.175148 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
21:30:09.595314 IP 203.15.51.58.80 > 10.200.254.98.33080: . 1:1449(1448) ack 
21 win 33304 <nop,nop,timestamp 367315837 1029420>
21:30:09.595498 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
21:30:17.561779 IP 203.15.51.58.80 > 10.200.254.98.33072: . 
4283830444:4283831892(1448) ack 2167167726 win 33304 <nop,nop,timestamp
367323997 985979>
21:30:17.561907 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
21:30:24.545302 IP 10.200.254.98.33080 > 203.15.51.58.80: P 21:23(2) ack 1 
win 5840 <nop,nop,timestamp 1032783 367296606,nop,nop,sack sack 1
{1449:1881} >
21:30:24.545430 IP 203.15.51.58.80 > 10.200.254.98.33080: R 
1200777203:1200777203(0) win 0
21:30:37.307121 IP 203.15.51.58.80 > 10.200.254.98.33073: . 
3057749166:3057750614(1448) ack 2221689087 win 33304 <nop,nop,timestamp
367344222 980032>
21:30:37.307248 IP 203.15.51.61 > 203.15.51.58: icmp 36: 10.200.254.98 
unreachable - need to frag
^C
25 packets captured
201 packets received by filter
0 packets dropped by kernel

If you need it the interfaces on stealth are configured as follows:

  fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=8<VLAN_MTU>
         inet 203.101.254.252 netmask 0xffffff00 broadcast 203.101.254.255
         inet6 fe80::290:27ff:fec2:4977%fxp0 prefixlen 64 scopeid 0x1
         ether 00:90:27:c2:49:77
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
dc0: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=8<VLAN_MTU>
         inet 203.15.51.61 netmask 0xffffffe0 broadcast 203.15.51.63
         inet6 fe80::2a0:cff:fec0:cc23%dc0 prefixlen 64 scopeid 0x2
         ether 00:a0:0c:c0:cc:23
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
         inet 127.0.0.1 netmask 0xff000000
         inet6 ::1 prefixlen 128
         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
         tunnel inet 203.101.254.252 --> 138.130.223.244
         inet 203.15.51.61 --> 192.168.1.2 netmask 0xffffff00
         inet6 fe80::290:27ff:fec2:4977%gif0 prefixlen 64 scopeid 0x5

IPv4 Routing table:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            203.101.254.30     UGS         7   486813   fxp0
10.200.254/24      192.168.1.2        UGS         0     1239   gif0
127.0.0.1          127.0.0.1          UH          0       97    lo0
192.168.1          192.168.1.2        UGS         0    12666   gif0
192.168.1.2        203.15.51.61       UH          2      138   gif0
203.15.51.32/27    link#2             UC          0        0    dc0
203.15.51.33       00:00:e8:3d:c7:f2  UHLW        0    10887    dc0   1191
203.15.51.35       08:00:20:b2:58:e6  UHLW        0        6    dc0    802
203.15.51.36       00:0f:20:30:cd:f0  UHLW        0    14290    dc0   1064
203.15.51.38       02:00:06:e3:44:9a  UHLW        0       48    dc0    690
203.15.51.41       02:00:06:e3:44:9a  UHLW        0       48    dc0    154
203.15.51.42       02:00:06:e3:44:9a  UHLW        0       12    dc0    692
203.15.51.51       08:00:20:b2:58:e6  UHLW        0        0    dc0    776
203.15.51.58       00:09:5b:09:de:2a  UHLW        0       32    dc0    872
203.15.51.62       08:00:20:b2:58:e6  UHLW        0      216    dc0    137
203.101.254        link#1             UC          0        0   fxp0
203.101.254.30     00:d0:05:15:0c:0a  UHLW        1        0   fxp0   1198

Sorry if it's too much info, if there is anything missing you need, just mail...

Regards,

-- 
Matthew Sullivan
Specialist Systems Programmer
Information Technology Services
The University of Queensland


Received on Wed Apr 20 2005 - 09:37:20 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:32 UTC