OpenWrt Forum Archive

Topic: fwbuilder experiences?

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
bjunix
9 May 2005, 08:00

Hello.

I recently replaced the default firewall script with one generated with fwbuilder (www.fwbuilder.org).
Now I face some problems concerning my internet connection. most of internet sites are reachable without any problem.

Nevertheless there are some sites which do not respond after switching to fwbuilder script.

For example ( and most important for me) the yahoo web mail login is not functionable any more. I get as far as mail.yahoo.com and i am able to enter my ID and password, and when i submit the form the connections hangs. browser stating :" waiting for us.f514.mail.yahoo.com" . after a very long time ( lets say 3 minutes) it give an error message stating "us.f514.mail.yahoo.com not responding"

There are some other sites which act oddly. so is imdb.com doing. as soon as i reach an site at imdb, which try connecting to i.imdb.com the connections hangs again.
but as i allready said, most other sites are working flawlessly.

i cant really explain this behaviour, but i aint no network expert. i first suspected dns service is not correctly working. but i can ping us.f514.mail.yahoo.com, so the adress is translated correctly and it is even reachable with ping.

this error is reproducable, i tried at my linux workstation with firefox and also at an windows 2000 OS with internet explorer.

Are there some experienced users with fwbuilder and openwrt?
Or anyone else has a hint to solve this problem?

Thanks

greetings

bjunix

Post #2
gunni
9 May 2005, 12:24

MAybe it is the issue with clamp-mss. I had the Problem to reach ebay cause of this error. Try to insert the following line in the beginning of your firewall script:

iptables -A FORWARD -o ppp0 -p TCP --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

ppp0 has to be your WAN-interface.
For a little test you can decrease the MTU on your client PC to something smaller than 1400. If it works correct with this the line above will be your friend. This line has to be in the beginning of your iptables rules so check the roules by:

iptables -L

Gunni

Post #3
cyberwulf
9 May 2005, 12:33

would be my advice too.
additionally make sure to have nvram "wan_mtu" set correctly.

Post #4
bjunix
9 May 2005, 12:51

Yes, thank you both very much.

There is an option in fwbuilder's firewall settings " clamp mss to mtu"
I just ticked this option. fwbuilder is adding the line at the correct place for me.

everything working fine now.

(Last edited by bjunix on 9 May 2005, 13:03)

The discussion might have continued from here.