[kwlug-disc] No web on LAN - but everything else works...

Thu Dec 18 00:09:09 EST 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the responses.  The solution is as John outlined: MTU size a
little too big for a Videotron cable modem in Montreal to handle.

In the shorewall.conf file, switching from the default "No" to:

CLAMPMSS=Yes

sets the MSS on the outbound interface to MTU-40 and magically allows
Internet web browsing from the LAN.

Helpful tool: tshark (wireshark on the command line)

Thanks a million John!

Cheers,
Lori

john at netdirect.ca wrote:
> I'd also be tempted to wireshark a web page request. With mtu issues you see the starts of a conversation, the request and one reponse packet, then nothing until timeout. 
> 
> 
> 
> ----- Original Message -----
> From: "L.D. Paniak" [ldpaniak at fourpisolutions.com]
> Sent: 12/17/2008 12:22 PM EST
> To: KWLUG discussion <kwlug-disc at kwlug.org>
> Subject: Re: [kwlug-disc] No web on LAN - but everything else works...
> 
> 
> 
> It's a cable modem and the MTU is reported at 576.  I thought this was
> ridiculously low.  Nowhere near the 1500/1492 I'd expect.
> 
> I'll give ping a try with big packets.
> 
> 
> john at netdirect.ca wrote:
>> This isn't a comprehensive response but how about MTU? Is it possible that the MtU for the dsl is too large and packet fragmentation is causing problems with large packets?  Use ping options that create large payloads for testing. 
> 
> 
> 
>> ----- Original Message -----
>> From: "L.D. Paniak" [ldpaniak at fourpisolutions.com]
>> Sent: 12/17/2008 12:10 PM EST
>> To: kwlug-discussion <kwlug-disc at kwlug.org>
>> Subject: [kwlug-disc] No web on LAN - but everything else works...
> 
> 
> 
>> OK, I'm at my wit's end with this one.  Maybe you guys and gals can
>> point out what I'm missing.
> 
>> Background:  Samba fileserver running Debian Lenny with Shorewall
>> firewall connected to (dhcp) cable modem on eth0 and a lan on br0 (a
>> bridge of lan on eth1, openvpn tap0 and an admin network on eth2).
> 
>> modem -- eth0 -- shorewall -- br0 (eth1,2 and tap0)
> 
>> Everything worked well until last Thursday when a power outage resulted
>> in an 'awkward' shutdown.
> 
>> On reboot, there was no network connectivity on eth0 and eth1.  Both
>> ports are on a dual-port Intel e1000 gigabit card.  Apparently the
>> onboard nvram became corrupted.  Reflashing the card fixed that and
>> restored network connectivity (mostly-read on).
> 
>> Now from the server, all connectivity to the Internet (including
>> http/https) and the LAN is OK.  Speeds good, no packet problems reported
>> in ifconfig.  From the LAN, Samba is there along with other machines on
>> the LAN and all internet services are good with excellent speed.
> 
>> The problem is with Internet access from computers on the LAN.  A
>> computer on the LAN has no web access.  Strangely, e-mail works and
>> Skype can log in.  Pings from the LAN to the internet work and name
>> resolution is good.  ie. ping google.ca gives a good result.
> 
>> It seems that the server is refusing to return requested Internet web
>> traffic to the appropriate LAN client.  NAT is configured in Shorewall
>> via the masq file.  Here it looks like:
> 
>> eth0	br0
> 
>> Very simple and worked until last Friday.
> 
>> Is there something I should be looking for in iptables?  Why should
>> e-mail be different than web traffic - I do not differentiate anywhere
>> in the firewall? Is there something 'stuck'?...
> 
>> Thanks for any and all insight!
>> Lori
> 
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> 

_______________________________________________
kwlug-disc_kwlug.org mailing list
kwlug-disc_kwlug.org at kwlug.org
http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJSdr18h2PnOHbiQcRAtcSAJ9LbSn2F2dk+KWq5XHBq2qDF0ZcHQCfZ3MJ
I6rzOQseu33v9w+eZm35zkw=
=4nXU
-----END PGP SIGNATURE-----