Wednesday, July 22, 2009

Tool of the Day: TCPMSSD

I've had issue with an ADSL multilink implementation over a FreeBSD firewall, that just wont seem to work with a particular PC's MTU. I've of course changed the pc MTU with TCPOptimizer, but now I've gone a level up and am actually mangling the packets with a tcp MTU/MSS Clamp.

The Clamp works by making sure that all packets are lower than or equal to a particular MTU, therefore making sure traffic flows correctly.

I installed TCPMSSD from FreeBSD ports /usr/ports/net/tcpmssd, and made sure the daemon starts from rc.local, with the following command line:

/usr/local/bin/tcpmssd -b -p 7777 -m 1300

-b = mangle both SYN and ACK packets
-p 7777 = run the Daemon on port 7777
-m 1300 = MTU size of 1300 Bytes

Then, you need to pass traffic to the daemon through IPFW:

add 00042 divert 7777 ip from any to 10.0.0.1 (mangle traffic to source)
add 00043 skipto 00047 ip from 10.0.0.1 to 10.0.0.0/20 (skip internal traffic)
add 00043 skipto 00047 ip from not 10.0.0.1 to any (skip anything else other than this host)
add 00044 divert 7777 ip from any to any (mangle traffic from source)
add 00045 divert 8670 ip from any to any (NATD traffic from source)
add 00046 fwd 192.168.0.1 ip from any to any (FWD and end traffic from source)

this is tested, working and in production on my live FreeBSD firewalls, a great little tool...

No comments:

Post a Comment