I've got my router set up but some web pages will just not load in addition to msn messenger not working. Here's the export from IP. Can anyone give me some direction on what I'm doing wrong? Thanks for the help.
/ ip pool
add name="dhcp-pool-1" ranges=10.0.0.200-10.0.0.254
/ ip accounting
set enabled=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip address
add address=10.0.0.1/24 network=10.0.0.0 broadcast=10.0.0.255 interface=ether1 comment="added by setup" disabled=no
/ ip arp
/ ip dns
set primary-dns=217.237.150.33 secondary-dns=217.237.151.161 allow-remote-requests=no cache-size="2048 kB" \
cache-max-ttl=7d
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
/ ip firewall mangle
add action=accept comment="" disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=yes
set pptp disabled=yes
set gre disabled=no
set h323 disabled=yes
set mms disabled=yes
set irc ports=6667 disabled=yes
set quake3 disabled=yes
set tftp ports=69 disabled=yes
/ ip firewall src-nat
add out-interface=pppoe-out1 action=masquerade comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set pppoe-out1 discover=no
/ ip route
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=yes
set ftp port=21 address=10.0.0.1/24 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=yes
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip policy-routing
/ ip policy-routing rule
add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 flow="" interface=all action=lookup table=main comment="" disabled=no
/ ip policy-routing table main
/ ip upnp
set enabled=yes
/ ip upnp interfaces
add interface=ether2 type=internal disabled=no
add interface=pppoe-out1 type=external disabled=no
/ ip dhcp-client
set enabled=no interface=ether2 host-name="" client-id="" add-default-route=no use-peer-dns=yes
/ ip dhcp-server
add name="dhcp1" interface=ether1 lease-time=3d address-pool=dhcp-pool-1 add-arp=yes authoritative=yes disabled=no
/ ip dhcp-server lease
/ ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 dns-server=217.237.150.33,194.25.2.129 wins-server=10.0.0.1,10.0.0.1 \
comment="added by setup"
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=3128 hostname="proxy" transparent-proxy=no parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size="4096 kB" cache-drive=system max-cache-size=none
/ ip web-proxy access
add dst-port=!443,563 method=connect action=deny comment="allow CONNECT only to SSL ports 443 \[https\] and 563 \
\[snews\]" disabled=no
/ ip web-proxy cache
add url="cgi-bin \\?" action=deny comment="don't cache dynamic http pages" disabled=no
Here's my interface export too.
/ interface ethernet
set ether1 name="ether1" mtu=1450 arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes \
long-cable=no speed=100Mbps disabled=no
set ether2 name="ether2" mtu=1450 arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes \
long-cable=no speed=100Mbps disabled=no
/ interface bridge port
set ether1 bridge=none priority=128 path-cost=10
set ether2 bridge=none priority=128 path-cost=10
/ interface l2tp-server server
set enabled=no mtu=1460 mru=1460 authentication=mschap2,mschap1,chap,pap default-profile=default
/ interface pppoe-client
add name="pppoe-out1" mtu=1450 mru=1450 interface=ether2 user="*******@t-online.de" \
password="******" profile=default service-name="" ac-name="" add-default-route=yes dial-on-demand=yes \
use-peer-dns=yes allow=mschap2,mschap1,chap,pap disabled=no
/ interface pptp-server server
set enabled=no mtu=1460 mru=1460 authentication=mschap2,mschap1 keepalive-timeout=30 default-profile=default
TCP MSS
Looks like you've caused a PMTUD "black hole".
A quick fix is setting a firewall mangle rule to rewrite TCP SYN packet MSS. In your case I would try setting MSS=1400 and working your way up from there until it breaks.
A longer term fix is to make sure your client PCs always know how big the path is between them and their destinations.
A quick fix is setting a firewall mangle rule to rewrite TCP SYN packet MSS. In your case I would try setting MSS=1400 and working your way up from there until it breaks.
A longer term fix is to make sure your client PCs always know how big the path is between them and their destinations.
Path MTU (Maximum Transmission Unit) Discovery. Read the notes here: http://www.cisco.com/warp/public/105/38.shtmlWhat does PMTUD stand for? And do you think just setting the MTU to 1400 would fix the problem?
From the document: "Sometimes, over some IP paths, a TCP/IP node may send small amounts of data (typically less than 1500 bytes) with no difficulty, but transmission attempts with larger amounts of data hang, then time out. Often this is observed as a unidirectional problem: large data transfers succeed in one direction but fail in the other direction."
Good luck.
Re: web sites won't load
why are you changing the ethernet MTU? afaik that does not make sense.interface ethernet
set ether1 name="ether1" mtu=1450 arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes \
long-cable=no speed=100Mbps disabled=no
...
t-dsl works usually with MTU=1442 but might be up to 1492./ interface pppoe-client
add name="pppoe-out1" mtu=1450 mru=1450 interface=ether2
there's a (german language) faq:
http://www.sauff.com/dsl-faq/mtu-mini-faq.html
(and a lot of other router forums discussing the MTU issue)
e.g. my pppoe config:
Code: Select all
0 R name="strato-dsl" mtu=1480 mru=1480 interface=ether3-wan user="STRATO/*************************%DSL1"
password="************" profile=default service-name="" ac-name="" add-default-route=yes dial-on-demand=no
use-peer-dns=yes allow=mschap2,mschap1,chap,pap
matthias
Re: web sites won't load
i found similar and strange problems too. some web-sites do not load at all, e.g:
http://www.ebay.de
webmail.macnews.de
http://www.apple.com/de (sometimes loading, but very, very slow)
and IMAP works only partially (server side commands work, but no fetch)
everything else works, i.e. most http- and https-, smtp-, pop3-, pptp-connections.
MT-ROS is 2.8.16.
i have only masquerading enabled on the pppoe-out interface.
i tried changing the MTU (MRU) in the range from 1492 down to 1200 bytes, with and without mangle-rule for the MSS. therefor i guess it is not the well known MTU problem.
(btw: pppoe client uses settings from the ppp-default profile! so dont touch this)
i did some protocol analyzing and it seems to me that the outgoing packets are somehow damaged (e.g. incomplete IMAP commands), but checksums et cetera are ok. packet size was below MTU in this cases too.
when i enable the transparent web-proxy, http connections are working to the before unreachable websites like ebay. could it be some masquerading problem?
any ideas or hints?
(i've never seen such before. if i replace the mt-router with my draytek vigor, everything is working, so i do not blame the isp)
tia.
matthias
http://www.ebay.de
webmail.macnews.de
http://www.apple.com/de (sometimes loading, but very, very slow)
and IMAP works only partially (server side commands work, but no fetch)
everything else works, i.e. most http- and https-, smtp-, pop3-, pptp-connections.
MT-ROS is 2.8.16.
i have only masquerading enabled on the pppoe-out interface.
i tried changing the MTU (MRU) in the range from 1492 down to 1200 bytes, with and without mangle-rule for the MSS. therefor i guess it is not the well known MTU problem.
(btw: pppoe client uses settings from the ppp-default profile! so dont touch this)
i did some protocol analyzing and it seems to me that the outgoing packets are somehow damaged (e.g. incomplete IMAP commands), but checksums et cetera are ok. packet size was below MTU in this cases too.
when i enable the transparent web-proxy, http connections are working to the before unreachable websites like ebay. could it be some masquerading problem?
any ideas or hints?
(i've never seen such before. if i replace the mt-router with my draytek vigor, everything is working, so i do not blame the isp)
tia.
matthias