# packet loss with iptables nat router (MTU problem) [solved]

## till

Hi, 

i have a very strange error regarding my new gentoo router. I experience packet loss, but only to some networks and on some ports/services. 

i have set up the router to connect my Internet connection (ppp0 over eth1) with my local LAN (eth0 / 192.168.2.15 network 192.168.2.0/25).

i have also configured iptables together with NAT: 

```

wgs-l13 ~ # iptables -t nat -v -L

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:rplay to:192.168.2.20:5555

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:ftp-data to:192.168.2.20:20

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:ftp to:192.168.2.20:21

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:2202 to:192.168.2.31:22

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:8001 to:192.168.2.34:8001

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:8002 to:192.168.2.37:8002

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:8090 to:192.168.2.39:8090

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:44301 to:192.168.2.34:44301

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:44302 to:192.168.2.37:44302

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:44303 to:192.168.2.31:443

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60000 to:192.168.2.20:60000

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60001 to:192.168.2.20:60001

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60002 to:192.168.2.20:60002

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60003 to:192.168.2.20:60003

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60004 to:192.168.2.20:60004

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60005 to:192.168.2.20:60005

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60006 to:192.168.2.20:60006

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60007 to:192.168.2.20:60007

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60008 to:192.168.2.20:60008

    0     0 DNAT       tcp  --  ppp0   any     anywhere             anywhere             tcp dpt:60009 to:192.168.2.20:60009

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 MASQUERADE  all  --  any    ppp0    anywhere             anywhere            

Chain LOGMASQUERADE (0 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 LOG        all  --  any    any     anywhere             anywhere             LOG level warning prefix "FW-MASQUERADE: "

    0     0 MASQUERADE  all  --  any    any     anywhere             anywhere            

wgs-l13 ~ # iptables -v -L

Chain INPUT (policy ACCEPT 47 packets, 2932 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       tcp  --  ppp0   any     anywhere             anywhere             tcp dpts:0:1023

    0     0 DROP       udp  --  ppp0   any     anywhere             anywhere             udp dpts:0:1023

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  eth0   any     anywhere             192.168.2.0/25      

   24  6936 ACCEPT     all  --  eth0   any     192.168.2.0/25       anywhere            

   33  2216 ACCEPT     all  --  ppp0   any     anywhere             192.168.2.0/25      

Chain OUTPUT (policy ACCEPT 37 packets, 7512 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain LOGACCEPT (0 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 LOG        all  --  any    any     anywhere             anywhere             LOG level warning prefix "FW-ACCEPT: "

    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain LOGDROP (0 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 LOG        all  --  any    any     anywhere             anywhere             LOG level warning prefix "FW-DROP: "

    0     0 DROP       all  --  any    any     anywhere             anywhere          

```

At this point i am able to browse the many Internet sites and also ssh to many servers with a stable connection. 

However, there are some networks, that are suffering packages loss. E.g. if i try to reach my university's unimail website, it hangs, if i open movie4k in a browser it also hangs. I have also experiences hanging ssh session to the network of my university. sometimes i am able to connect but if i cat a file, the network is lost after a few lines displayed. The strange thing is, that ftp or imap is working well on this networks. only http(s) and ssh are suffering. so i guess this is a masquerading issue, but i have no clue what kind of. 

so i tcpdumped a ssh session from my unsiverty's computer (78.50.73.80) to my home server (192.168.2.20) over the router (public address at this time: 78.50.73.80) and there are some packages that never show up on the other side. the strange thing is, that the package does not show up even when it is resend, while other packages go through:

University Computer: 

```

granit ~ # tcpdump -i br0 -n -vvv 'host 78.50.73.80 and tcp port 5555'

tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:38:59.821397 IP (tos 0x0, ttl 64, id 26615, offset 0, flags [DF], proto TCP (6), length 60)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [S], cksum 0xb874 (correct), seq 2341522184, win 29200, options [mss 1460,sackOK,TS val 23637247 ecr 0,nop,wscale 7], length 0

16:38:59.842965 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 60)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [S.], cksum 0xa7c1 (correct), seq 1166425740, ack 2341522185, win 28960, options [mss 1460,sackOK,TS val 2035291183 ecr 23637247,nop,wscale 7], length 0

16:38:59.843010 IP (tos 0x0, ttl 64, id 26616, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x46b3 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 0

16:38:59.843218 IP (tos 0x0, ttl 64, id 26617, offset 0, flags [DF], proto TCP (6), length 83)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [P.], cksum 0x112e (correct), seq 1:32, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 31

16:38:59.863839 IP (tos 0x0, ttl 50, id 10953, offset 0, flags [DF], proto TCP (6), length 52)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x4681 (correct), seq 1, ack 32, win 227, options [nop,nop,TS val 2035291204 ecr 23637269], length 0

16:38:59.884297 IP (tos 0x0, ttl 50, id 10954, offset 0, flags [DF], proto TCP (6), length 83)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x10f6 (correct), seq 1:32, ack 32, win 227, options [nop,nop,TS val 2035291210 ecr 23637269], length 31

16:38:59.884335 IP (tos 0x0, ttl 64, id 26618, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x4631 (correct), seq 32, ack 32, win 229, options [nop,nop,TS val 23637310 ecr 2035291210], length 0

16:38:59.884917 IP (tos 0x0, ttl 64, id 26619, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xf3db (correct), seq 32:1480, ack 32, win 229, options [nop,nop,TS val 23637311 ecr 2035291210], length 1448

16:38:59.884926 IP (tos 0x0, ttl 64, id 26620, offset 0, flags [DF], proto TCP (6), length 572)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [P.], cksum 0xc213 (correct), seq 1480:2000, ack 32, win 229, options [nop,nop,TS val 23637311 ecr 2035291210], length 520

16:38:59.904613 IP (tos 0x0, ttl 50, id 10956, offset 0, flags [DF], proto TCP (6), length 1492)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x85fd (correct), seq 32:1472, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 1440

16:38:59.905637 IP (tos 0x0, ttl 50, id 10959, offset 0, flags [DF], proto TCP (6), length 64)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x4eb5 (correct), seq 1680, ack 32, win 235, options [nop,nop,TS val 2035291246 ecr 23637310,nop,nop,sack 1 {1480:2000}], length 0

16:38:59.907315 IP (tos 0x0, ttl 50, id 10957, offset 0, flags [DF], proto TCP (6), length 60)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x086c (correct), seq 1472:1480, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 8

16:38:59.907342 IP (tos 0x0, ttl 64, id 26621, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x38ab (correct), seq 2000, ack 1480, win 251, options [nop,nop,TS val 23637333 ecr 2035291211], length 0

16:38:59.911577 IP (tos 0x0, ttl 64, id 26622, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xee01 (correct), seq 32:1480, ack 1480, win 251, options [nop,nop,TS val 23637338 ecr 2035291211], length 1448

16:38:59.932578 IP (tos 0x0, ttl 50, id 10958, offset 0, flags [DF], proto TCP (6), length 252)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x6942 (correct), seq 1480:1680, ack 32, win 227, options [nop,nop,TS val 2035291245 ecr 23637310], length 200

16:38:59.972567 IP (tos 0x0, ttl 64, id 26623, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x3768 (correct), seq 2000, ack 1680, win 274, options [nop,nop,TS val 23637399 ecr 2035291245], length 0

16:39:00.132583 IP (tos 0x0, ttl 64, id 26624, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xec23 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23637559 ecr 2035291245], length 1448

16:39:00.575593 IP (tos 0x0, ttl 64, id 26625, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xea68 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23638002 ecr 2035291245], length 1448

16:39:01.461602 IP (tos 0x0, ttl 64, id 26626, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xe6f2 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23638888 ecr 2035291245], length 1448

16:39:03.233601 IP (tos 0x0, ttl 64, id 26627, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xe006 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23640660 ecr 2035291245], length 1448

16:39:06.781600 IP (tos 0x0, ttl 64, id 26628, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xd22a (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23644208 ecr 2035291245], length 1448

16:39:13.869615 IP (tos 0x0, ttl 64, id 26629, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0xb67a (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23651296 ecr 2035291245], length 1448

16:39:18.060208 IP (tos 0x0, ttl 64, id 26630, offset 0, flags [DF], proto TCP (6), length 100)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [FP.], cksum 0xc03a (correct), seq 2000:2048, ack 1680, win 274, options [nop,nop,TS val 23655486 ecr 2035291245], length 48

16:39:18.080920 IP (tos 0x0, ttl 50, id 10960, offset 0, flags [DF], proto TCP (6), length 64)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x077c (correct), seq 1680, ack 32, win 243, options [nop,nop,TS val 2035309422 ecr 23637310,nop,nop,sack 1 {1480:2049}], length 0

16:39:28.045584 IP (tos 0x0, ttl 64, id 26631, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x3819 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23665472 ecr 2035309422], length 1448

16:39:28.488589 IP (tos 0x0, ttl 64, id 26632, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x365e (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23665915 ecr 2035309422], length 1448

16:39:29.373605 IP (tos 0x0, ttl 64, id 26633, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x32e9 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23666800 ecr 2035309422], length 1448

16:39:31.145612 IP (tos 0x0, ttl 64, id 26634, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x2bfd (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23668572 ecr 2035309422], length 1448

16:39:34.685574 IP (tos 0x0, ttl 64, id 26635, offset 0, flags [DF], proto TCP (6), length 1500)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x1e29 (correct), seq 32:1480, ack 1680, win 274, options [nop,nop,TS val 23672112 ecr 2035309422], length 1448

^C

29 packets captured

29 packets received by filter

0 packets dropped by kernel

4294963701 packets dropped by interface

```

-> resends package 32:1480 but it never appears on the other side

-> other packages do (send before and after that package)

Router:

```

wgs-l13 ~ # tcpdump -i ppp0 -n -vvv 'host 129.217.38.151 and tcp port 5555'

tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

16:39:03.444604 IP (tos 0x0, ttl 55, id 26615, offset 0, flags [DF], proto TCP (6), length 60)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [S], cksum 0xb874 (correct), seq 2341522184, win 29200, options [mss 1460,sackOK,TS val 23637247 ecr 0,nop,wscale 7], length 0

16:39:03.445021 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [S.], cksum 0xa7c1 (correct), seq 1166425740, ack 2341522185, win 28960, options [mss 1460,sackOK,TS val 2035291183 ecr 23637247,nop,wscale 7], length 0

16:39:03.465650 IP (tos 0x0, ttl 55, id 26616, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x46b3 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 0

16:39:03.465697 IP (tos 0x0, ttl 55, id 26617, offset 0, flags [DF], proto TCP (6), length 83)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [P.], cksum 0x112e (correct), seq 1:32, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 31

16:39:03.466301 IP (tos 0x0, ttl 63, id 10953, offset 0, flags [DF], proto TCP (6), length 52)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x4681 (correct), seq 1, ack 32, win 227, options [nop,nop,TS val 2035291204 ecr 23637269], length 0

16:39:03.472032 IP (tos 0x0, ttl 63, id 10954, offset 0, flags [DF], proto TCP (6), length 83)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x10f6 (correct), seq 1:32, ack 32, win 227, options [nop,nop,TS val 2035291210 ecr 23637269], length 31

16:39:03.473080 IP (tos 0x0, ttl 63, id 10956, offset 0, flags [DF], proto TCP (6), length 1492)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x85fd (correct), seq 32:1472, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 1440

16:39:03.473118 IP (tos 0x0, ttl 63, id 10957, offset 0, flags [DF], proto TCP (6), length 60)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x086c (correct), seq 1472:1480, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 8

16:39:03.506759 IP (tos 0x0, ttl 55, id 26618, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x4631 (correct), seq 32, ack 32, win 229, options [nop,nop,TS val 23637310 ecr 2035291210], length 0

16:39:03.506896 IP (tos 0x0, ttl 63, id 10958, offset 0, flags [DF], proto TCP (6), length 252)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x6942 (correct), seq 1480:1680, ack 32, win 227, options [nop,nop,TS val 2035291245 ecr 23637310], length 200

16:39:03.507773 IP (tos 0x0, ttl 55, id 26620, offset 0, flags [DF], proto TCP (6), length 572)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [P.], cksum 0xc213 (correct), seq 1480:2000, ack 32, win 229, options [nop,nop,TS val 23637311 ecr 2035291210], length 520

16:39:03.507885 IP (tos 0x0, ttl 63, id 10959, offset 0, flags [DF], proto TCP (6), length 64)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x4eb5 (correct), seq 1680, ack 32, win 235, options [nop,nop,TS val 2035291246 ecr 23637310,nop,nop,sack 1 {1480:2000}], length 0

16:39:03.530632 IP (tos 0x0, ttl 55, id 26621, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x38ab (correct), seq 2000, ack 1480, win 251, options [nop,nop,TS val 23637333 ecr 2035291211], length 0

16:39:03.595707 IP (tos 0x0, ttl 55, id 26623, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [.], cksum 0x3768 (correct), seq 2000, ack 1680, win 274, options [nop,nop,TS val 23637399 ecr 2035291245], length 0

16:39:21.684292 IP (tos 0x0, ttl 55, id 26630, offset 0, flags [DF], proto TCP (6), length 100)

    129.217.38.151.49876 > 78.50.73.80.5555: Flags [FP.], cksum 0xc03a (correct), seq 2000:2048, ack 1680, win 274, options [nop,nop,TS val 23655486 ecr 2035291245], length 48

16:39:21.684487 IP (tos 0x0, ttl 63, id 10960, offset 0, flags [DF], proto TCP (6), length 64)

    78.50.73.80.5555 > 129.217.38.151.49876: Flags [.], cksum 0x077c (correct), seq 1680, ack 32, win 243, options [nop,nop,TS val 2035309422 ecr 23637310,nop,nop,sack 1 {1480:2049}], length 0

^C

16 packets captured

16 packets received by filter

0 packets dropped by kernel

```

Home Server:

```

# tcpdump -i br0 -n -vvv 'host 129.217.38.151 and tcp port 5555'

tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:38:59.828490 IP (tos 0x0, ttl 54, id 26615, offset 0, flags [DF], proto TCP (6), length 60)

    129.217.38.151.49876 > 192.168.2.20.5555: Flags [S], cksum 0x8d3a (correct), seq 2341522184, win 29200, options [mss 1460,sackOK,TS val 23637247 ecr 0,nop,wscale 7], length 0

16:38:59.828549 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [S.], cksum 0x6b5b (incorrect -> 0x7c87), seq 1166425740, ack 2341522185, win 28960, options [mss 1460,sackOK,TS val 2035291183 ecr 23637247,nop,wscale 7], length 0

16:38:59.849517 IP (tos 0x0, ttl 54, id 26616, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 192.168.2.20.5555: Flags [.], cksum 0x1b79 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 0

16:38:59.849911 IP (tos 0x0, ttl 54, id 26617, offset 0, flags [DF], proto TCP (6), length 83)

    129.217.38.151.49876 > 192.168.2.20.5555: Flags [P.], cksum 0xe5f3 (correct), seq 1:32, ack 1, win 229, options [nop,nop,TS val 23637269 ecr 2035291183], length 31

16:38:59.849930 IP (tos 0x0, ttl 64, id 10953, offset 0, flags [DF], proto TCP (6), length 52)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x6b53 (incorrect -> 0x1b47), seq 1, ack 32, win 227, options [nop,nop,TS val 2035291204 ecr 23637269], length 0

16:38:59.855731 IP (tos 0x0, ttl 64, id 10954, offset 0, flags [DF], proto TCP (6), length 83)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x6b72 (incorrect -> 0xe5bb), seq 1:32, ack 32, win 227, options [nop,nop,TS val 2035291210 ecr 23637269], length 31

16:38:59.856496 IP (tos 0x0, ttl 64, id 10955, offset 0, flags [DF], proto TCP (6), length 1500)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x70fb (incorrect -> 0x2274), seq 32:1480, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 1448

16:38:59.856749 IP (tos 0x0, ttl 64, id 10956, offset 0, flags [DF], proto TCP (6), length 1492)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x70f3 (incorrect -> 0x5ac3), seq 32:1472, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 1440

16:38:59.856759 IP (tos 0x0, ttl 64, id 10957, offset 0, flags [DF], proto TCP (6), length 60)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x6b5b (incorrect -> 0xdd31), seq 1472:1480, ack 32, win 227, options [nop,nop,TS val 2035291211 ecr 23637269], length 8

16:38:59.890612 IP (tos 0x0, ttl 54, id 26618, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 192.168.2.20.5555: Flags [.], cksum 0x1af7 (correct), seq 32, ack 32, win 229, options [nop,nop,TS val 23637310 ecr 2035291210], length 0

16:38:59.890648 IP (tos 0x0, ttl 64, id 10958, offset 0, flags [DF], proto TCP (6), length 252)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [P.], cksum 0x6c1b (incorrect -> 0x3e08), seq 1480:1680, ack 32, win 227, options [nop,nop,TS val 2035291245 ecr 23637310], length 200

16:38:59.891628 IP (tos 0x0, ttl 54, id 26620, offset 0, flags [DF], proto TCP (6), length 572)

    129.217.38.151.49876 > 192.168.2.20.5555: Flags [P.], cksum 0x96d9 (correct), seq 1480:2000, ack 32, win 229, options [nop,nop,TS val 23637311 ecr 2035291210], length 520

16:38:59.891646 IP (tos 0x0, ttl 64, id 10959, offset 0, flags [DF], proto TCP (6), length 64)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x6b5f (incorrect -> 0x237b), seq 1680, ack 32, win 235, options [nop,nop,TS val 2035291246 ecr 23637310,nop,nop,sack 1 {1480:2000}], length 0

16:38:59.914502 IP (tos 0x0, ttl 54, id 26621, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 192.168.2.20.5555: Flags [.], cksum 0x0d71 (correct), seq 2000, ack 1480, win 251, options [nop,nop,TS val 23637333 ecr 2035291211], length 0

16:38:59.979557 IP (tos 0x0, ttl 54, id 26623, offset 0, flags [DF], proto TCP (6), length 52)

    129.217.38.151.49876 > 192.168.2.20.5555: Flags [.], cksum 0x0c2e (correct), seq 2000, ack 1680, win 274, options [nop,nop,TS val 23637399 ecr 2035291245], length 0

16:39:18.067875 IP (tos 0x0, ttl 54, id 26630, offset 0, flags [DF], proto TCP (6), length 100)

    129.217.38.151.49876 > 192.168.2.20.5555: Flags [FP.], cksum 0x9500 (correct), seq 2000:2048, ack 1680, win 274, options [nop,nop,TS val 23655486 ecr 2035291245], length 48

16:39:18.067926 IP (tos 0x0, ttl 64, id 10960, offset 0, flags [DF], proto TCP (6), length 64)

    192.168.2.20.5555 > 129.217.38.151.49876: Flags [.], cksum 0x6b5f (incorrect -> 0xdc41), seq 1680, ack 32, win 243, options [nop,nop,TS val 2035309422 ecr 23637310,nop,nop,sack 1 {1480:2049}], length 0

^C

17 packets captured

17 packets received by filter

0 packets dropped by kernel

```

Routers Network interfaces: 

```

wgs-l13 ~ # ifconfig 

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.2.15  netmask 255.255.255.128  broadcast 192.168.2.128

        inet6 fe80::1012:ff:fe12:3470  prefixlen 64  scopeid 0x20<link>

        ether 12:12:00:12:34:70  txqueuelen 1000  (Ethernet)

        RX packets 1549  bytes 339792 (331.8 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1536  bytes 399842 (390.4 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::1012:ff:fe12:3471  prefixlen 64  scopeid 0x20<link>

        ether 12:12:00:12:34:71  txqueuelen 1000  (Ethernet)

        RX packets 1438  bytes 358636 (350.2 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1226  bytes 305408 (298.2 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Lokale Schleife)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1492

        inet 78.50.73.80  netmask 255.255.255.255  destination 213.191.89.29

        ppp  txqueuelen 3  (Punkt-zu-Punkt Verbindung)

        RX packets 1250  bytes 318647 (311.1 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1172  bytes 276690 (270.2 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Does anybody has an explanation for this?

Thank you a lot in advance. 

Till

----------

## till

OK, i have observed that the mtu might be a problem, all discarded packages have a length of 1500, but the ppp0 link only has 1492, 

but why does it work for some other networks and how can i solve this? shouldn't it automatically break the package up in two peaces or negotiate the max mtu at startup?

Greetings

Till

----------

## till

after banging my head for whole day i found the solution an hour after writing it down in the gentoo forums  :Wink: 

remember: sometimes it is good to write things down in a structured way and to ask a friend  :Wink: 

remember 2: universities have administrators that are <some work you dislike here>. They are disabling Path MTU Discovery for security reasons.....

SOLUTION: MSS Clamping.

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

(see http://lartc.org/howto/lartc.cookbook.mtu-mss.html)

----------

## John R. Graham

You did mean "packet loss" rather than "package loss", right? Might want to edit your thread title accordingly.  :Wink: 

- John

----------

## till

hmm yes, my ebuilds are all there  :Wink: 

----------

## Hu

Since you mentioned this was caused by PMTUD being blocked for unspecified security reasons, I feel obligated to quote part of man iptables-extensions describing the feature you used. *man iptables-extensions wrote:*   

>        This target is used to overcome criminally braindead  ISPs  or  servers
> 
>        which  block  "ICMP  Fragmentation  Needed"  or "ICMPv6 Packet Too Big"
> 
>        packets.  The symptoms of this problem are that everything  works  fine
> ...

 

----------

