sbc dsl and linksys firewall config issues

[Gerald Combs]

hanasaki wrote:
> What would make double NAT fail?  fyi: works in my home just fine though
> two Linux iptables setups for something I was playing with.  Then again
> NAT on Linux may be better than that in a hardware firewall?

As far as basic port and address translation goes, double, triple, or
dodecuple NAT should work, albiet with a performance penalty for each
hop.  You might run into trouble with protocols requiring extended
functionality, such as tracking multiple VPN sessions, or with passing
UPnP information up the chain.


> Hmmm what's the association with the MTU setting?  And just where is
> this set in the dsl modem and in windows?  "just works" with Linux...
> too bad this system isn't fully under my control to do "right".   How do
> you find the "right" MTU setting?

If you're using PPPoE, the PPP header sucks up 20 bytes of your Ethernet
payload, leaving you with a 1480-byte MTU on the link between your DSL
modem and your provider.  If either end of a connection tries to send a
1500 byte packet through this link, it won't fit.  The packet will have
to be fragmented, and sent down the link as separate packets.  However,
if the Don't Fragment bit is set in the IP header of that particular
packet, one of the devices on that link will have to send an ICMP
"destination unreachable/fragmentation needed" back to the source.

The trouble happens when the following occurs:

  - You're running PPPoE
  - Your PC has an MTU of 1500 bytes set
  - You're connecting to a web site (such as eBay), which sets the DF
    bit on its HTTP connections _and_ drops all inbound ICMP packets.

When your PC connects to eBay, it advertises its MTU indirectly using
the MSS TCP option.  eBay starts blasting a web page back, but as soon
as it sends a 1500 byte packet you provider's DSLAM sends back a
"fragmentation needed" message.  This message is dropped on eBay's end.
 Your browser and eBay's server keep re-sending packets until the
connection times out.