Posted: Sat Dec 12, 2009 18:18 Post subject: can't access twitter !! iptables, TCPMSS, MTU problem?
edit: news, news !! this issue has been solved (at least for now) .. see this post
guys I have a really weird problem with ddwrt (eko's svn 13401 std-ftp-usb on my wrt610v2):
I can't access www.twitter.com !!
that's the only site I have found so far, but I am sure there might be others.
what happens is that I get a TCP RST (reset) that breaks the connection to the webserver as soon as I try to connect.
At first I thought it's a DNS issue so I switched to openDNS but nope, it's DDWRT somehow-- because if I bypass the WRT and go ethernet direct into the cable modem, I can load the page just fine.
I did a packet trace using Wireshark and it goes something like this:
Code:
me twitter.com
--------------------------------------------------------------
TCP SYN >
< TCP ACK, SYN
TCP ACK >
HTTP GET www.twitter.com >
< TCP RST (reset)
"Acknowledgement number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set"
I dont know where to go from here, I think it is somehow related to MTU, in iptables --list I see something like this in the FORWARD chain:
i think this may be related, possibly twitter have misconfigured their servers or routers but in any case, I don't know how to get past it !!
can anybody else confirm this ??? I already tried disabling ipv6 in the router, and tested with IE, firefox, from a different computer etc. It only works if I bypass ddwrt completely and go direct via the cable modem.
Last edited by luckman212 on Tue Dec 22, 2009 22:23; edited 2 times in total
The error is saying that the ack flag isn't set though it should be for all packets from you the client. Since you know your way around wireshark, capture the WAN side of the conversation and check whether the ack flag is set when it leaves the router. If you don't have a hub then you this iptables rule to forward packets wherever you want.
iptables -t nat -I POSTROUTING -o `nvram get wan_iface` -j ROUTE --tee --gw [IP to send copy to]
# add this if you want incoming from the WAN too
iptables -t nat -I PREROUTING -i `nvram get wan_iface` -j ROUTE --tee --gw [IP to send copy to] _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
(my lan ip is 172.31.255.30) but since ddwrt has disabled all error messages, I don't know if the command was successful. Actually I think it WASN'T because i ran iptables -L and the new rule didn't appear anywhere. So I think my syntax is not correct somehow.
not sure what exactly to look for in wireshark, and even if I found that the outbound packets-->twitter didn't have their ACK flag set, how would I correct it? is there a command in iptables I can use to set this flag just for a specific ip to see if it fixes the issue?) This is one of the stranger problems I've ever encountered!!
Sorry the ROUTE target isn't valid in the nat table.
iptables -t mangle -I POSTROUTING -o vlan2 -j ROUTE --tee --gw 172.31.255.30 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
iptables -t mangle -vnL POSTROUTING _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ok, you're right I was looking in the wrong table. Now, I've done the trace from another laptop on my wireless network (also has no access to twitter.com)
I show 3 packets outbound destined for twitter.com
they look like this:
I don't know what to do from here to debug this. This is affecting all machines, all kinds of devices behind the ddwrt unit. Doesn't matter if they are wired or wireless.
it does seem to be related to TCPMSS & MTU iptables rule. But I am really not sure what to modify or how to get these rules in my DDWRT permanently to test if it will work.
Well clearly the ACK flag was set when it left, so either their end is borked or something between you is mangling it. What sort of connection type is your WAN? In the optional WAN settings try manually setting the MTU to 1000 and see if it helps. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
its crazy.
I don't know what's going on.
my WAN is a 50M down/5M up cable (road runner). Like I said when I plug my laptop directly into the LAN port of the cable modem, I can get to twitter. So, something is happening inside of ddwrt.
I set the MTU to 1000 using the GUI and verified the change via telnet:
Code:
root@r1:/# nvram get wan_mtu
1000
sadly, nothing changed- still get TCP RESET when accessing twitter.com
I would do a 30/30/30 if I thought it would help but this being such a site-specific problem it doesn't seem like a problem with my router. I can't be the only one with this problem?
Yet you are. The Linkedin problem you linked is a bit different, in their case a rule was forcing a specific MTU rather than clamping it down to a maximum size. They actually fixed it by using the same rule that dd-wrt does. If you wan to try deleting it anyways then this is how.
iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
do I have to reload the firewall somehow after making changes w/ iptables? because sadly I tried deleting that rule but my tcp connections to twitter.com are still resetting.
guys I hate to sound like a whiner but I have spoken on the phone to time warner cable Tier3 and they assured me that they are not doing any sort of blocking or round-robin'ing of the twitter.com site.
Additionally, as I have said when I plug a machine directly into the cable modem and bypass ddwrt I am able to access it.
I have now tried a 30/30/30 reset and even after redoing all my settings (aggh) it still doesn't work. This is the only site I can't access-- unfortunately it's a big one that I use a lot.
I have a friend who also uses Time warner cable and a WRT610N v2 that's running ddwrt just like mine, and I can also verify that from his house, twitter.com is also inaccessible.
So I am not saying that it's necessarily a flat-out bug or flaw with ddwrt- but for whatever reason, the combo of DDWRT, the 610Nv2, TimeWarner Cable, and the Twitter.com webservers, Is making this problem appear.
If anyone has any idea how to get around this, I would love to hear-- I am desperate.
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Tue Dec 15, 2009 21:47 Post subject:
I'll toss this out.. Unfortunately I forgot the "buzz word" for what was the problem and I looked for it in my network settings..
I was helping a guy via PM, and he found it. I have since deleted the pm's so I can only go by memory (or lack there of). Same thing but a different website(s)
Some windows feature was enabled.. CTS, CPC, ?? something.. I remember looking it up on the wikipedia.
Anyway.. it is a setting that if the website or server is busy, it drops the connection instead of a retry..
Maybe someone will know what the hell I am talking about.. _________________ [Moderator Deleted]
thanks barry but that's a no-go... I have tested this from my iphone on wi-fi as well as a buddy's Macbook pro, and even a Knoppix linux live-CD --- NONE of them can access twitter. It's (amazingly) not a Windows problem this time.