Wednesday, July 22, 2009

Tool of the Day: TCPMSSD

I've had issue with an ADSL multilink implementation over a FreeBSD firewall, that just wont seem to work with a particular PC's MTU. I've of course changed the pc MTU with TCPOptimizer, but now I've gone a level up and am actually mangling the packets with a tcp MTU/MSS Clamp.

The Clamp works by making sure that all packets are lower than or equal to a particular MTU, therefore making sure traffic flows correctly.

I installed TCPMSSD from FreeBSD ports /usr/ports/net/tcpmssd, and made sure the daemon starts from rc.local, with the following command line:

/usr/local/bin/tcpmssd -b -p 7777 -m 1300

-b = mangle both SYN and ACK packets
-p 7777 = run the Daemon on port 7777
-m 1300 = MTU size of 1300 Bytes

Then, you need to pass traffic to the daemon through IPFW:

add 00042 divert 7777 ip from any to 10.0.0.1 (mangle traffic to source)
add 00043 skipto 00047 ip from 10.0.0.1 to 10.0.0.0/20 (skip internal traffic)
add 00043 skipto 00047 ip from not 10.0.0.1 to any (skip anything else other than this host)
add 00044 divert 7777 ip from any to any (mangle traffic from source)
add 00045 divert 8670 ip from any to any (NATD traffic from source)
add 00046 fwd 192.168.0.1 ip from any to any (FWD and end traffic from source)

this is tested, working and in production on my live FreeBSD firewalls, a great little tool...

Thursday, July 16, 2009

Tool of the Day: TCP-Z Windows Vista Half-Open Connection Patch

To speed up Vista internet network speeds, you can now run a simplified tool, that modifies kernel values on the fly, without changing any settings permanently.

You can download it here: Softpedia

If you WOULD like to change the settings, follow microsofts article on how to HERE

Either way, look forward to increased network performance in Vista/Windows 7

Wednesday, July 8, 2009

Increasing performance of Static IP (L2TP) ADSL Lines

With most of the South African ISP's offering static IP ADSL, I Think there is some confusion or just plain not knowing how these offerings work. The machines connected to these Routers benefit from having correct MTU Size set, both to reduce packet fragmentation, and also allow packets to traverse if they have DF Bit set (DF = Do Not Fragment).

Standard Ethernet MTU is 1500 bytes, and ADSL PPPoE MTU is 1492 Bytes. What ISP's do is run an L2TP Tunnel from the ISP to the ADSL Router, presenting the user with static IP's, but reducing MTU size to 1472 Bytes (Standard L2TP Data segment).

To optimize your Linux/BSD machines, the easiest option is to just adjust the mtu thus:

ifconfig em0 mtu 1472

That will make sure all packets originating from that interface are the correct size. The issue arises if you use windows machines, as MTU Discovery does not always work correctly. This is tried and tested on a windows box I have here:

Ping Google with a 1492 Byte ICMP Packet:

C:\Users\kim.attree>ping -l 1492 www.google.com

Pinging www.l.google.com [74.125.45.103] with 1492 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 74.125.45.103:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

And Pinging Google with a 1472 Byte ICMP Packet:

C:\Users\kim.attree>ping -l 1472 www.google.com

Pinging www.l.google.com [74.125.45.103] with 1472 bytes of data:
Reply from 74.125.45.103: bytes=1472 time=354ms TTL=49
Reply from 74.125.45.103: bytes=1472 time=353ms TTL=49
Reply from 74.125.45.103: bytes=1472 time=354ms TTL=49
Reply from 74.125.45.103: bytes=1472 time=354ms TTL=49

Ping statistics for 74.125.45.103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 353ms, Maximum = 354ms, Average = 353ms

The easiest way to fix this is by using a TCP Stack modifier, and I suggest using the freeware tool TCP Optimizer, which you can download here http://www.speedguide.net/files/TCPOptimizer.exe

Choose "Custom Options" and set your MTU to 1472 Bytes, and reap the rewards of improved performance and throughput.