# Firewall problem?

## phoenix_me

I have a PC and NAS. Between those two there is a router. NAS have a web based interface on port 80. On a PC a have two operating system Windows and Gentoo. When I am in Windows then I can open a web interface from NAS but when I am in Linux I am not able to do this. The page just don't want to open. I don't know where could be a problem. I am able to ssh to NAS from Gentoo, I am able browse Internet but not able to open a web interface from NAS. Please help.

I put a wireshark on Gentoo and the results are the following:

```
No.     Time        Source                Destination           Protocol Info

      1 0.000000    10.10.1.20            10.10.1.10            TCP      35557 > http [SYN] Seq=0 Win=17920 Len=0 MSS=8960 SACK_PERM=1 TSV=45795987 TSER=0 WS=7

      2 0.002939    IcpElect_8b:dc:20     Broadcast             ARP      Who has 10.10.1.20?  Tell 10.10.1.10

      3 0.002946    AsustekC_4a:17:69     IcpElect_8b:dc:20     ARP      10.10.1.20 is at 00:1b:fc:4a:17:69

      4 0.003158    10.10.1.10            10.10.1.20            TCP      http > 35557 [SYN, ACK] Seq=0 Ack=1 Win=17904 Len=0 MSS=8964 SACK_PERM=1 TSV=260029452 TSER=45795987 WS=2

      5 0.003177    10.10.1.20            10.10.1.10            TCP      35557 > http [ACK] Seq=1 Ack=1 Win=17920 Len=0 TSV=45795990 TSER=260029452

      6 0.003275    10.10.1.20            10.10.1.10            HTTP     GET / HTTP/1.1 

      7 0.003511    10.10.1.10            10.10.1.20            TCP      http > 35557 [ACK] Seq=1 Ack=400 Win=17904 Len=0 TSV=260029453 TSER=45795990

      8 2.013568    10.10.1.10            10.10.1.20            TCP      [TCP Previous segment lost] http > 35557 [FIN, ACK] Seq=4124 Ack=400 Win=17904 Len=0 TSV=260029654 TSER=45795990

      9 2.013603    10.10.1.20            10.10.1.10            TCP      [TCP Dup ACK 6#1] 35557 > http [ACK] Seq=400 Ack=1 Win=17920 Len=0 TSV=45798000 TSER=260029453 SLE=4124 SRE=4125

     10 4.909275    10.10.1.20            10.10.1.10            TCP      41341 > http [FIN, ACK] Seq=1 Ack=1 Win=140 Len=0 TSV=45800896 TSER=260005171 SLE=4124 SRE=4125

     11 4.909521    10.10.1.10            10.10.1.20            TCP      http > 41341 [RST] Seq=1 Win=0 Len=0
```

----------

## erik258

Hey,

I am not too familiar with wireshark output (a powerful tool, but a bit excessive in this case where tcpdump would do just fine) but if I'm reading this correctly it seems that the HTTP transaction is getting through just fine.

If you can't connect to a webserver usually you'll get a CONNECTION REFUSED error code (error 102).  This will typically be displayed to you in the browser.   That would be the case if your router's firewall was just blocking the connection. 

If the HTTP transaction was hanging, the page would eventually time out.  This usually indicates that the traffic back to the gentoo box is being blocked somewhere.  

Neither of these is likely to be the case, if I'm reading the wireshark dump properly.  It seems as though the the connection is having some transient connectivity problems ("TCP Previous Segment Lost" and then a DUP ACK?) but nevertheles, the FIN ACK suggests that the connection terminated normally (right?).  So from what I can tell the page was retrieved successfully.  

A few questions.  Does the linux system use the same IP address as the windows system?  If so, and you're not running a firewall on the gentoo system, then the problem is almost certainly not a firewall / connectivity issue.  Have you tried to retrieve the page with wget?  I have a suspicion that the problem is perhaps that the page is loading normally but is blank because you dont' have active-x controls or something like that.  

if you run  "wget <url> -o /dev/null -O -" and get html back, you know the web page is retrievable from the computer (that's exactly what wget does).  It should be more or less immediate.

----------

## phoenix_me

 *erik258 wrote:*   

> Hey,
> 
> I am not too familiar with wireshark output (a powerful tool, but a bit excessive in this case where tcpdump would do just fine) but if I'm reading this correctly it seems that the HTTP transaction is getting through just fine.
> 
> If you can't connect to a webserver usually you'll get a CONNECTION REFUSED error code (error 102).  This will typically be displayed to you in the browser.   That would be the case if your router's firewall was just blocking the connection. 
> ...

 

I found the problem. First of all I need to mention that on my router there is an OpenWRT firmware. Some time ago a changed the MTU size on NAS by selecting option 'Jumbo Frame'. I did it also on Gentoo box. When the firmware in router was upgraded I started having this issue. After some test I found out that MTU on NAS was 9004 while MTU on Gentoo was 9000. But even after I changed manually MTU on NAS to 9000 it was still not working. Next step was changing MTU on Gentoo to 1500 and it starts working. Last step was a change of MTU to 1500 on NAS and this was also worked. It seems like OpenWRT dosn't support Jumbo Frame.

----------

