Jump to content
Калькуляторы

проблемы с фрагментированием на freebsd10

Доброго времени суток,

имеем связку freebsd10 + cisco3550 по ospf

клиенты(NAT) терминируются на 3550, дальше по ospf на freebsd -там шейпятся и уходят в мир

возникает проблема, когда пытаешься на 3550 повесить реальные ip (шлюз на 3550, у клиента net+2) - интернет у клиента есть, но не проходят большие пакеты (больше 1472). скорее всего проблема с фрагментацией.

 

подскажите куда копать? (mtu на 3550 выставлена 1526, на free 1500)

Share this post


Link to post
Share on other sites

Вообще-то размер icmp запроса 1472 какраз и есть норма, при MTU 1500

 

http://www.networkers-online.com/blog/2010/02/mtu-and-ping-size-confusion/

 

или у Вас фрагментированные не проходят?

 

# ping -s 1473 -M do 172.25.37.113

PING 172.25.37.113 (172.25.37.113) 1473(1501) bytes of data.

ping: local error: Message too long, mtu=1500

ping: local error: Message too long, mtu=1500

^C

--- 172.25.37.113 ping statistics ---

2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms

 

# ping -s 1472 -M do 172.25.37.113

PING 172.25.37.113 (172.25.37.113) 1472(1500) bytes of data.

1480 bytes from 172.25.37.113: icmp_req=1 ttl=128 time=0.461 ms

1480 bytes from 172.25.37.113: icmp_req=2 ttl=128 time=0.410 ms

1480 bytes from 172.25.37.113: icmp_req=3 ttl=128 time=0.441 ms

 

ping -s 8000 172.25.37.113

PING 172.25.37.113 (172.25.37.113) 8000(8028) bytes of data.

8008 bytes from 172.25.37.113: icmp_req=1 ttl=128 time=0.730 ms

8008 bytes from 172.25.37.113: icmp_req=2 ttl=128 time=0.760 ms

Share this post


Link to post
Share on other sites

подскажите куда копать? (mtu на 3550 выставлена 1526, на free 1500)

В глубь.

У тебя везде разные размеры потому что L2, L3, L4. Вычитай/прибавляй размеры заголовков.

Share this post


Link to post
Share on other sites

это понятно что на разных уровнях разный размер...

 

пинги с циски фряху

 

#ping 172.16.11.1 size 1500

Type escape sequence to abort.

Sending 5, 1500-byte ICMP Echos to 172.16.11.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

 

с фри циску

# ping -D -s 1472 172.16.11.2

PING 172.16.11.2 (172.16.11.2): 1472 data bytes

1480 bytes from 172.16.11.2: icmp_seq=0 ttl=255 time=1.333 ms

1480 bytes from 172.16.11.2: icmp_seq=1 ttl=255 time=1.322 ms

^C

 

# ping -D -s 1473 172.16.11.2

PING 172.16.11.2 (172.16.11.2): 1473 data bytes

ping: sendto: Message too long

ping: sendto: Message too long

^C

 

но!

# ping -s 1473 172.16.11.2

PING 172.16.11.2 (172.16.11.2): 1473 data bytes

^C

--- 172.16.11.2 ping statistics ---

2 packets transmitted, 0 packets received, 100.0% packet loss

 

# ping -s 1472 172.16.11.2

PING 172.16.11.2 (172.16.11.2): 1472 data bytes

1480 bytes from 172.16.11.2: icmp_seq=0 ttl=255 time=2.072 ms

1480 bytes from 172.16.11.2: icmp_seq=1 ttl=255 time=1.375 ms

^C

 

стоит ipfw. но явных правил ограничения mtu и фрагментирования не увидел

идеи?

Share this post


Link to post
Share on other sites

вывод правил

 

# ipfw show

00100 0 0 allow ip from any to any via lo0

00105 0 0 deny ip from any to 127.0.0.0/8

00110 2205 223648 allow ip from table(2) to table(2)

00115 4 192 deny ip from any to any dst-port 135,137,138,139,445

00120 0 0 reject log logamount 100 ip from any to me in ipoptions ssrr

00125 0 0 reject log logamount 100 ip from any to me in ipoptions lsrr

00130 0 0 reject log logamount 100 ip from any to me in ipoptions rr

00135 0 0 reject log logamount 100 ip from any to me in ipoptions ts

00140 0 0 reject log logamount 100 tcp from any to any not established tcpflags fin

00145 0 0 reject log logamount 100 tcp from any to any tcpflags syn,fin,ack,psh,rst,urg

00150 0 0 reject log logamount 100 tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg

00155 0 0 deny log logamount 100 tcp from any to me in tcpflags !syn,!ack,!rst

00160 0 0 deny log logamount 100 tcp from any to me in tcpflags syn,fin,!ack,psh,urg

00165 0 0 deny log logamount 100 tcp from any to me in tcpflags syn,fin,!ack

00170 0 0 deny log logamount 100 tcp from any to me in tcpflags fin,!ack,psh,urg

00175 0 0 deny log logamount 100 tcp from any to me in tcpflags fin,!ack

00180 0 0 deny log logamount 100 tcp from any to me in tcpflags !ack,urg

00185 0 0 deny log logamount 100 tcp from any to me in tcpflags !ack,psh

00190 518 73320 allow ip from any 53,123 to any

00195 558 47693 allow ip from any to any dst-port 53,123

00200 12 888 allow ospf from any to any

00205 1040494 747941853 allow ip from any to any via bce0

00210 119 5538 pipe 35001 ip from table(60) to any in via vlan200

00215 125 6330 pipe 35002 ip from any to table(60) out via vlan200

00220 43823 3687616 pipe 35011 ip from table(61) to any in via vlan200

00225 55092 58976505 pipe 35012 ip from any to table(61) out via vlan200

00230 8430 718855 pipe 35021 ip from table(62) to any in via vlan200

00235 11732 13305247 pipe 35022 ip from any to table(62) out via vlan200

00240 45204 9790614 pipe 35031 ip from table(63) to any in via vlan200

00245 53321 60553345 pipe 35032 ip from any to table(63) out via vlan200

00250 1346 177070 pipe 35041 ip from table(64) to any in via vlan200

00255 1343 357454 pipe 35042 ip from any to table(64) out via vlan200

00260 0 0 pipe 35051 ip from table(65) to any in via vlan200

00265 0 0 pipe 35052 ip from any to table(65) out via vlan200

00270 0 0 pipe 35061 ip from table(66) to any in via vlan200

00275 0 0 pipe 35062 ip from any to table(66) out via vlan200

00280 0 0 pipe 35005 ip from table(70) to any in via vlan200

00285 0 0 pipe 35006 ip from any to table(70) out via vlan200

00290 77642 10558189 pipe 35071 ip from table(75) to any in via vlan200

00295 124509 156905866 pipe 35072 ip from any to table(75) out via vlan200

00300 139094 17297759 pipe 35081 ip from table(76) to any in via vlan200

00305 187034 231518345 pipe 35082 ip from any to table(76) out via vlan200

00310 91102 22245420 pipe 35091 ip from table(77) to any in via vlan200

00315 130329 157313910 pipe 35092 ip from any to table(77) out via vlan200

65534 94 6125 deny log logamount 1000 ip from any to any

65535 1484033 1080866857 allow ip from any to any

Share this post


Link to post
Share on other sites

Что именно не понятно?

То что пакеты могут сами ферментироваться IP стёком если явно не указать запрет на это?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.