[ale] Stumped by Slashdot and network problems

Sun Oct 24 14:00:46 EDT 2004

Guys,

I asked my question on the Netfilter list, and got a quick answer that
fixed my problem.  FYI, the solution follows:
----
what you need to do is lower the MSS that is being advertised by the
Windows XP machine.  on the VPN Server/Router:

        iptables -A FORWARD -p tcp --syn -s $WINXP_BOX \
          -j TCPMSS --set-mss 1400

if the problem continues--lower that 1400 until the problem disappears. i
have had to ratchet it down as low as 1330 on IPSec + WiFi setups. with
your addition of the ppp0 (pptp) MTU of 896--you may need to use
"--set-mss 850" before the Windows XP box will work properly.  another
option that may or may not work, would be to allow the VPN Server/Router
to figure this automatically (which depends on proper PMTU discovery,
which is certainly not a given these days):

        iptables -A FORWARD -p tcp --syn -s $WINXP_BOX \
          -j TCPMSS --clamp-mss-to-pmtu
----
Setting it to 850 on the router works.

Thanks,
John