[clug] web pages not loading via Fedora router

Paul Wayper paulway at mabula.net
Wed Oct 6 15:18:33 MDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/06/2010 04:47 PM, Paul - subscriptions wrote:
> I'm not sure if this help but for some reason traceroutes are working to the
> LAN but pings are working
> 
> eg
> traceroute  192.168.0.20
> traceroute to 192.168.0.20 (192.168.0.20), 30 hops max, 60 byte packets

Simple reason (AFAICS) - 192.168.0.20 is on your LAN and not through a router.

Traceroute works by sending the first packet out with a TTL of 1.  Routers
decrement the TTL and, if it's zero, send a reply stating "this router got
your packet and timed it out".  traceroute then recognises this packet and
says "that's the first hop".  It then sends out a packet with TTL of 2 - which
goes through the first router and gets to the second, and so forth.

The key to understanding what's going on is that traceroute doesn't send ICMP
by default - it sends a udp packet.  If the UDP packet isn't responded to,
it's usually discarded - and this looks like a black hole.  Try using the '-I'
option to get it to use ICMP, which most things will respond to.  These are
the results on my network:

[paulway at tachyon ~]$ traceroute router
traceroute to router (192.168.23.250), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C
[paulway at tachyon ~]$ traceroute -I router
traceroute to router (192.168.23.250), 30 hops max, 60 byte packets
 1  router (192.168.23.250)  1.186 ms  1.411 ms  1.630 ms
[paulway at tachyon ~]$

As to why some websites are timing out and some aren't - it may be a MTU black
hole.  What happens in that case is that your packet goes out with a flag in
the headers saying "the maximum length of a packet I can receive back is
(e.g.) 1520".  Somewhere between here and there, a router says "no, that's too
large, try 1480" in an ICMP response.  Normally you'd receive this and your IP
stack would automatically use the lower value.  However, another router
between here and there has been configured to drop all incoming ICMP messages
and therefore you never see that message - therefore both sides think that the
other is going to respond and you get a timeout.  Other sites are OK with the
larger packet size and therefore they work.

You may need to look at your firewalling and make sure you are accepting
certain types of ICMP packet (can't remember which off the top of my head, but
the Wikipedia article http://en.wikipedia.org/wiki/Path_MTU_discovery shows
that you need to make sure that you can receive type 3 (ICMP Unreachable) packets.

Hope this helps,

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkys56kACgkQu7W0U8VsXYJbJgCghWqBs2kkzOzz/FFgY1fD5pdq
Y1EAnReXP7K+9pCMbwniPj/JghiyiC47
=W2kp
-----END PGP SIGNATURE-----


More information about the linux mailing list