On Wed, 08 Sep 2004 11:35:28 +0200
Manuel Kasper <mk at neon1 dot net> wrote:
> I can reproduce this with my m0n0wall at home (FreeBSD
> client/PPPoE/ADSL) too. The problem doesn't seem to be that MSS
> clamping is not working, but rather that NetBSD sends packets
> larger than [MSS + 40 bytes], which are then fragmented and the
> fragments blocked by ipfilter for some reason.
> Turning off timestamps in the FreeBSD client (sysctl
> net.inet.tcp.rfc1323=0) makes it work.
> This is probably related:
> - Manuel
Thank you for all the digging that went into this reply, Manuel.
This fully explains all the observations reported here, and
provides a workaround for both FreeBSD and OpenBSD clients if
The remaining puzzle (only to me, I suppose) is why a similar
firewall with user-ppp, pppoe, and OpenBSD+PF does not block on
the netbsd server. The FAQ for ipfilter, section X, number 17
...ipfilter doesn't support RFC1323 window size extensions.
Is ipfilter somehow missing a capability that plays a role here?
FWIW, I built up an image with mpd/pppoe configured with:
set iface tcpmssfix
This did not change anything with respect to browsing the
netbsd.org site, however.
Finally, its kindof funny that NetBSD has not fixed up its tcp
stack for this. The bug reports do go back many years now...
wcm at guinix dot com