On Tue, 10 Dec 2019 09:26:46 +0000 Nektarios Katakis <nektar...@mail.nektarioskatakis.xyz> wrote:
> On Tue, 10 Dec 2019 07:22:05 +0100 > Pascal Hambourg <pas...@plouf.fr.eu.org> wrote: > > > Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : > > > > > > I am running an iptables firewall on an openwrt router I ve got. > > > Which acts as Firewall/gateway and performs NATing for my internal > > > network - debian PCs and android phones. > > > > > > All good but specific web sites are not loading for the machines > > > that are sitting behind the home router. > > > > > > When attempting on the browser (firefox but tried different ones) > > > the browser stays at `Performing a TLS handshake to > > > bitbucket.org`. wget has similar results: > > > ``` > > > wget https://bitbucket.org > > > --2019-12-09 22:07:32-- https://bitbucket.org/ > > > Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, > > > 18.205.93.1, 18.205.93.2, ... Connecting to bitbucket.org > > > (bitbucket.org)|18.205.93.0|:443... connected. > > > ``` > > > When doing a tcpdump on the router side I can see some initial TCP > > > session establishment and then nothing: > > (...) > > > Of course doing a wget from the router itself works fine as it > > > also works fine on my desktop if I do dynamic port-forwarding > > > with eg. `ssh -D 1050 router` (and configure of course firefox to > > > use it). > > > > Maybe a "MTU black hole" issue with PPPoE. > > Workarounds : > > - lower the MTU on the client side to 1492 > > - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router > > > > Interesting. I m not a network engineer and actually didnt think of > that. I ll give it a shot and update. > > Thanks. > The tip you gave me really did the job! I found this page in tldp.org describing the mtu issue http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html and the I simply ran the iptables command ``` iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ``` and it was fixed! Thanks again! --- Nektarios Katakis
