[Shorewall-users] Shorewall, rp-pppoe & big transfers

Joshua Banks l0f33t at yahoo.com
Sat Dec 13 16:28:00 PST 2003

--- Dominique Archambault <apox at yahoo.com> wrote:
> >> Dec 11 21:32:05helios pppoe[11017]: Session 437 terminated --
> received PADT
> >> from peer
> >>
> >> Dec 11 21:32:05helios pppoe[11017]: Sent PADT
> >> Dec 11 21:32:05helios pppd[10919]: Modem hangup
> >> Dec 11 21:32:05helios pppd[10919]: Connection terminated.
> >> Dec 11 21:32:05helios pppd[10919]: Connect time 15.0 minutes.
> >> Dec 11 21:32:05helios pppd[10919]: Sent 3675916 bytes, received
> 124650419
> >> bytes.
> >>
> >> I am pretty sure that this issue is related to Shorewall oneway or
> another, 
> >> because if I try the exact same download on my Shorewallmachine,
> all
> goes
> >> well. The problem only occurs when downloading from a
> NATedmachine.
> >
> >You received a PADT packet, stands for "PPPoE Active Discovery
> Terminate".  
> >Your ISP intentionally disconnected you.
> >
> >Does your DSL provider have policies disallowing NAT? I'm not sure
> how
> they 
> >could detect whether or not you are running NAT but they might just
> be
> making 
> >an "educated" guess.
> That would be surprising, considering that I have no problem using
> Linksys or D-Link routers (BEFSR41 & DI-614+ respectively). Unless
> Shorewall implements NAT differently, thus allowing my ISP to detect
> I
> have a NAT set up…?

I would suspect that MTU size could be the issue here. I could be

PPOE has an MTU of 1492 bytes versus the regular 1500 bytes.  

1) On the machine running shorewall what does "ifconfig" show? Please
paste that here.

2) On the shorewall machine what happens if you ping this ip with the
following "ping" options set?

banks at deadmeat etc $ ping -M do -s 1492

(the "-M do" says don't fragement this packet. So what your trying to
do here is find the largest size packet that you can send over your
link with out it needing to be fragmented. In my example I have this
set to "-s 1492" (this value is a good starting point for you)
Keep adjusting this value lower until your pings go through. For ppoe
this is usually around 1464-1472.

Max mtu for ppoe is 1492 bytes -IP header of 20 bytes -ICMP header of 8
bytes. Right around in this ball park anyways.

If you have Windows machines behind Shorewall then you can do.

"ping -l 1492 -f"
This is close to the same as the ping that you will do on shorewall.

When you get disconnected what do you need to do to get reconnected
again. Reboot the cable modem?

There should be at a minimum some logs from shorewall showing something
going on just before you get disconnected. If not then I would packet
sniff with either Tcp dump or ethereal on an internal machine (when
doing a long file transfer) and on the external facing nic card on
Shorewall to get a better idea of whats happening. 

I suspect that mtu is an issue. But to blame Shorewall you will need to
provide some evidence please. Every problem has a work around and with
linux you should be able to work around just about any problem.

I think you have an internal machine negotiating with an exteranl
machine to send packets with the biggest mtu for efficiencey when doing
the transfer and somehow they both don't realize that they have a ppoe
link that sits between them with an mtu that is lower than the standard
1500 byte mtu for ethernet.

Joshua Banks

Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.

More information about the Shorewall-users mailing list