Доброго времени суток.
Есть дебиан 7 в качестве гейта (DHCP + pppoeconf + iptables). Пров - PPPoE.
Все работает почти нормально.
Трабл в следующем.
Переодически не открываются страницы, F5 спасает, но уже надоело честно говоря. Довольно часто не открываются страницы с первого раза. Установил что шлюз провайдера отвечает что сервер недоступен. Очень похоже на трабл с mss, потому так и назвал тему.
До этого стояла фря с mpd5+ipfw тоже самое было, посовещавшись, решили переехать на дебиан, ради фрагментации, ipfw неумеет, а pf не особо нравится.
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:30:4f:1c:6f:1a brd ff:ff:ff:ff:ff:ff
inet6 fe80::230:4fff:fe1c:6f1a/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0d:61:13:de:b7 brd ff:ff:ff:ff:ff:ff
inet 172.16.77.1/24 brd 172.16.77.255 scope global eth1
inet6 fe80::20d:61ff:fe13:deb7/64 scope link
valid_lft forever preferred_lft forever
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 10.40.130.205 peer 193.39.72.32/32 scope global ppp0
iptables-save
# Generated by iptables-save v1.4.14 on Tue Jan 21 17:30:07 2014
*filter
:INPUT ACCEPT [14524:1371476]
:FORWARD ACCEPT [6053592:5024591608]
:OUTPUT ACCEPT [9839:2168107]
COMMIT
# Completed on Tue Jan 21 17:30:07 2014
# Generated by iptables-save v1.4.14 on Tue Jan 21 17:30:07 2014
*nat
:PREROUTING ACCEPT [24276:1556846]
:INPUT ACCEPT [128:27313]
:OUTPUT ACCEPT [16:4968]
:POSTROUTING ACCEPT [16:4968]
-A POSTROUTING -s 172.16.77.0/24 ! -d 172.16.77.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Jan 21 17:30:07 2014
# Generated by iptables-save v1.4.14 on Tue Jan 21 17:30:07 2014
*mangle
:PREROUTING ACCEPT [847457:659348419]
:INPUT ACCEPT [2998:824384]
:FORWARD ACCEPT [843937:658486475]
:OUTPUT ACCEPT [716:75977]
:POSTROUTING ACCEPT [842840:658450264]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Jan 21 17:30:07 2014
дамп с клиента в момент неоткрытия страницы, 193.39.72.32 - провайдер
tcpdump -ni eth0 | grep ICMP
14:34:30.607103 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.103 unreachable, length 68
14:34:30.609466 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.101 unreachable, length 68
14:34:30.611464 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.102 unreachable, length 68
14:34:30.613218 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.103 unreachable, length 68
14:34:30.615573 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.101 unreachable, length 68
14:34:30.617535 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.102 unreachable, length 68
14:34:30.617563 IP 193.39.72.32 > 172.16.77.42: ICMP host 195.214.195.12 unreachable, length 68
14:34:30.620454 IP 193.39.72.32 > 172.16.77.42: ICMP host 195.214.195.12 unreachable, length 68
14:34:30.642331 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.103 unreachable, length 68
14:34:30.642470 IP 193.39.72.32 > 172.16.77.42: ICMP host 195.214.195.12 unreachable, length 68
14:34:30.644379 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.101 unreachable, length 68
14:34:30.644402 IP 193.39.72.32 > 172.16.77.42: ICMP host 195.214.195.12 unreachable, length 68
14:34:30.647487 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.102 unreachable, length 68
14:34:30.650248 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.103 unreachable, length 68
14:34:30.652436 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.101 unreachable, length 68
14:34:30.654296 IP 193.39.72.32 > 172.16.77.42: ICMP host 212.42.70.102 unreachable, length 68
14:34:30.739315 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.188.113 unreachable, length 68
14:34:30.741529 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.189.113 unreachable, length 68
14:34:30.744302 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.187.113 unreachable, length 68
14:34:30.746565 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.189.113 unreachable, length 68
14:34:30.749258 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.190.113 unreachable, length 68
14:34:30.751467 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.191.113 unreachable, length 68
14:34:30.753368 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.191.113 unreachable, length 68
14:34:30.755220 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.187.113 unreachable, length 68
14:34:30.757564 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.188.113 unreachable, length 68
14:34:30.759476 IP 193.39.72.32 > 172.16.77.42: ICMP host 198.41.189.113 unreachable, length 68