Re: MTU
From: Yuki Arif (Yuki.Arif@ericsson.com)Date: 10/16/02
- Next message: Wolfgang Kueter: "Re: Do I need a firewall?"
- Previous message: Oliver: "Re: Stateful & Packet based firewalls?"
- In reply to: Leonid Rosenboim: "Re: MTU"
- Next in thread: phoenix: "Re: MTU"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Yuki Arif" <Yuki.Arif@ericsson.com> Date: Wed, 16 Oct 2002 17:51:50 +0700
Hello Leonid,
Here is the detail of the diagram :
<<<-------------------------------------------Packet
Flow-----------------------------------------------
Laptop client ----GSM network----- Router GPRS Equipment box ----Router
1-----Firewall ----Internet.
There is an ipsec tunnel between Router GPRS Equipment box and Router 1.
If we set MTU in the Firewall interface towards Router 1 = 1500, Router 1
will add IPSEC header. So the total packet will be more than 1500. The MTU
between Router GPRS Equipment box and Router 1 is 1500. So the router 1
will fragment the IPSEC packet. When there are many fragmented IPSEC packet
in the Router GPRS Equipment box , the router will restart.
Thats why we set MTU in the Firewall interface towards Router 1 = 1450 to
make sure the total packet come out from Router 1 is always below or equal
to MTU = 1500. IPSEC header is around 44 bytes.
Our Router 1 is not cisco router. In cisco router, It will calculate the
incoming packet first and it will divide the packet in some way, so the
total packet come out from Router 1 has always below or equal MTU = 1500. So
there is no IPSEC fragmentation in Router GPRS Equipment box .
The problem we have is, when we set MTU in the Firewall interface towards
Router 1 = 1450, we can not browse with windows 2k (default MTU 1500).
Windows 98 is fine since it does not use MTU 1500. When we decrease the MTU
to 1450 in the laptop with windows 2k, it is ok with browsing.
We suspect the firewall has some problem but I am not good in Firewall.
I have the following info but I don't know how to implement it in Checkpoint
Firewall (How to permit permit ICMP type-3 code 4).
NAT Does Not Work to Certain Sites
Q:
I am hiding my client's behind my firewall's external interface. I am having
problems surfing to one site in particular. What might be the problem?
A:
Use a packet sniffer to look for packets larger than MTU with the "do not
fragment" bit set. snoop, tcpdump, or the like should be able to find
packets like this. Once you determine that, either permit ICMP type-3 code 4
packets to your clients or adjust your MTU. A more detailed discussion of
MTU Discovery can be found here <http://users.worldgate.ca/~marcs/mtu/>.
Another possibility is that you are attempting to access a website that is
using the same address space you are using internally and NATting. This is
why if you are using non-routable addresses on your internal network, you
should strive to use those as defined by RFC-1918. (Thanks to Simon Hornby
<mailto:simon.hornby@grenville.co.uk> for reminding me of this)
ICMP Error Codes
Q:
What do the ICMP Error Codes mean? I see them in the logs with any ICMP
packets that get logged.
A:
>From RFC 1700:
Type 0 Echo Reply
Type 3 Destination Unreachable
Code
0 = net unreachable;
1 = host unreachable;
2 = protocol unreachable;
3 = port unreachable;
4 = fragmentation needed and DF set;
5 = source route failed.
Type 4 Source Quench
Type 5 Redirect
Code
0 = Redirect datagrams for the Network.
1 = Redirect datagrams for the Host.
2 = Redirect datagrams for the Type of Service and Network.
3 = Redirect datagrams for the Type of Service and Host.
Type 8 Echo
Type 11 Time Exceeded
Code
0 = time to live exceeded in transit;
1 = fragment reassembly time exceeded.
Type 12 Parameter Problem
Code 0 = pointer indicates the error.
Type 13 Timestamp
Type 14 Timestamp Reply
Type 15 Information Request
Type 16 Information Reply
Cheers
Yuki
"Leonid Rosenboim" <My_1st_name@Consultant.Com> wrote in message
news:newscache$ey0z3h$0j8$1@lnews.actcom.co.il...
> Yuki,
>
> GPRS is sub-layer-2, you can't just have teh GPRS hooked straight into
your
> firewall. There is still something missing in your diagram.
> Typically, people run PPP on top of GPRS, so your laptoip dial-up driver
> will work with an Access Server on the other end (e.g. AccessPath 5300)
> which terminates the PPP connections, and outputs IP packets over Ethernet
> which then get into the firewa.. Alternatively, the access server which
> terminates PPP may also run firewall software in the same box.
>
> Anyhow, during PPP session establishment, the IPCP component will
negotiate
> an IP address, mask, default gateway and MTU, so that the MTU on your
laptop
> should match the MTO of the PPP interface of the access server. The MTU on
> the ethernet side of the access server does not need to match that of your
> laptop because the access server is a Layer-3 device.
>
> Please clarify your situation, and restate the actual problem you're
facing,
> so I will be able to help further.
>
> -----------------------------------------------------------------------
> Leonid Rosenboim Visit:
> http://gamla.org.il/english/index.htm
> Consultant Email: my first name at consultant dot
com
>
>
> "Yuki Arif" <Yuki.Arif@ericsson.com> wrote in message
> news:aoea92$rhn$1@aken.eed.ericsson.se...
> > Hi Leonid
> >
> > Thanks for your answer.
> >
> > I must revised my Diagram...
> >
> > My Laptop <-----> GPRS Network <------> Firewall
> > <----->LAN<---->Internet<----->Webserver.
> >
> > The problem is, there is something wrong in GPRS network that force us
to
> > make MTU of Firewall 1450.
> > How do I handle Firewall to encounter 1500 MTU to 1450 MTU ?
> >
> > Thanks..
> >
> > Yuki
> >
> >
> >
> > "Leonid Rosenboim" <My_1st_name@Consultant.Com> wrote in message
> > news:newscache$7byy3h$ud8$1@lnews.actcom.co.il...
> > > The standard MTU size for IP over Ethernet is 1500,
> > > when using the classic encapsulation (not SNAP).
> > > hence the setting on the firewall is in violation of the
> > > standard, and should be changed.
> > >
> > > On the otehr hand, all nodes on a given segment
> > > (i.e. Layer-2 domain) must have all theirs MTU
> > > set identically (which explains why setting MTU
> > > to 1450 on your laptop seems to fix things).
> > >
> > > -- HTH
> >
> -----------------------------------------------------------------------
> > > Leonid Rosenboim Visit:
> > > http://gamla.org.il/english/index.htm
> > > Consultant Email: my first name at consultant
dot
> > com
> > >
> > >
> > > "Yuki Arif" <Yuki.Arif@ericsson.com> wrote in message
> > > news:aoe82t$kde$1@aken.eed.ericsson.se...
> > > > Hello All,
> > > >
> > > > I have network like this :
> > > >
> > > > - My Laptop, Windows 2000, MTU 1500 (Private IP).
> > > >
> > > > - NAT in Firewall (checkpoint firewall 4.1 running on Sun Solaris).
> > > >
> > > > My Laptop <-----> LAN <------> Firewall <----->
> > > > LAN<---->Internet<----->Webserver
> > > >
> > > > The MTU of Firewal interface towards My laptop is 1450.
> > > >
> > > > The MTU of Firewal interface towards Webserver is 1500.
> > > >
> > > > Somehow, I can not browsing with MTU 1500 set up on my laptop.
> > > >
> > > > I can do browsing when Is et up my Laptop MTU is 1450.
> > > >
> > > > Do you know what should I do ?
> > > >
> > > > I have to use MTU = 1500 on my laptop.
> > > >
> > > > Thanks in advance.
> > > >
> > > > Yuki
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Wolfgang Kueter: "Re: Do I need a firewall?"
- Previous message: Oliver: "Re: Stateful & Packet based firewalls?"
- In reply to: Leonid Rosenboim: "Re: MTU"
- Next in thread: phoenix: "Re: MTU"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
