Problems accessing DMZ from some ISPs but not others

Problems accessing DMZ from some ISPs but not others

[Ghislain Hachey]

[-- Attachment #1: Type: text/plain, Size: 1118 bytes --]

Hi,

I'm trying to setup IPFire on a small Alix board. It seems to work ok 
except I am experiencing a weird problem. My public facing servers are 
not always reachable. I run a small private data center in Vanuatu and 
when I try to access my public servers from a server I rent in the US it 
works fine. However, there are some ISP networks that can't reach my 
public servers. Even more weird, one of our ISPs in Vanuatu has parts of 
it that can reach my public servers and other parts of it (different 
subnets and path to destination) that can't. I read that MTU/MRU values 
can cause some weird, hard to troubleshoot problems. I do not experience 
this when I use my Vigor 3300 firewall/router. I really like IPFire and 
where it seems to be heading, but this is a show stopper. Unfortunately, 
I can't spend much time troubleshooting this problem properly as the 
services need to be available.

The image I used to do the installation was 
ipfire-2.13.1gb-ext4-scon.i586-full-core72.img.gz. It runs on the Alix 
alix2d3 <http://www.pcengines.ch/alix2d3.htm>.

Any ideas?

-- 
Ghislain Hachey
www.ghachey.info

Re: Problems accessing DMZ from some ISPs but not others

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1858 bytes --]

Hello,

indeed this problem is "weird" and does not seems to be cause primarily
by IPFire. It looks like a generic networking problem to me.

IPFire is clipping MSS to the Path MTU for all TCP connections and if
you have set up you connection to the internet correctly (i.e. typed in
the right MTU or let it be assigned by the ISP) this should be fine.

You can test for MTU issues by sending big packets with the ping command
or tracepath.

As you mentioned that some hosts are reachable and others are not, I
suggest to check the subnet masks configured on the firewall and all
other systems. It really looks like something similar to this.

I hope this helps.

-Michael

On Fri, 2013-11-08 at 09:07 +1100, Ghislain Hachey wrote:
> Hi,
> 
> I'm trying to setup IPFire on a small Alix board. It seems to work ok 
> except I am experiencing a weird problem. My public facing servers are 
> not always reachable. I run a small private data center in Vanuatu and 
> when I try to access my public servers from a server I rent in the US it 
> works fine. However, there are some ISP networks that can't reach my 
> public servers. Even more weird, one of our ISPs in Vanuatu has parts of 
> it that can reach my public servers and other parts of it (different 
> subnets and path to destination) that can't. I read that MTU/MRU values 
> can cause some weird, hard to troubleshoot problems. I do not experience 
> this when I use my Vigor 3300 firewall/router. I really like IPFire and 
> where it seems to be heading, but this is a show stopper. Unfortunately, 
> I can't spend much time troubleshooting this problem properly as the 
> services need to be available.
> 
> The image I used to do the installation was 
> ipfire-2.13.1gb-ext4-scon.i586-full-core72.img.gz. It runs on the Alix 
> alix2d3 <http://www.pcengines.ch/alix2d3.htm>.
> 
> Any ideas?
>