[Bug 277] X11 forwarding problem behind Router/NAT box

Sat Jun 15 20:07:59 EST 2002

http://bugzilla.mindrot.org/show_bug.cgi?id=277

------- Additional Comments From dtucker at zip.com.au  2002-06-15 20:07 -------
Here's an edited version from a previous (emailed) answer to this:

Short answer:
You probably have an MTU/fragmentation problem. For each network interface on 
both client and server set the MTU to 576, eg "ifconfig ethX mtu 576". If the 
problem goes away, read on.

Long answer:
At each routing hop, IP packets bigger than the outgoing interface's MTU get 
fragmented. Only the first fragment has TCP port numbers. Firewalls usually drop 
everything but the first fragment since it can't be matched against the 
rulebase. Some NAT configuration (eg many-to-one NAT or port address 
translation) can't match the fragments against their translation state tables.

Logging in and using the shell will normally generate relatively small packets, 
however if you something that generates a lot of data (eg cat'ing a big file or 
starting an X app, you may generate a packet bigger than the MTU.

Let's say it's a 1500 byte IP packet and the router has 2 different MTUs (say 
1500 & 1484) and no firewall. When the router goes to forward it, the packet is 
too big for the interface MTU (1484), so the router breaks it into 2 fragments, 
0 and 1. Fragment 0 contains the first 1484 bytes (including the TCP source and 
dest ports) and fragment 1 contains the remaining 16 bytes. Both fragments are 
sent on to their destinations.

When the first fragment reaches its target, it's held by the IP stack until the 
remaining fragments arrive, at which time the IP packet is reassembled and 
passed up the stack to TCP. If all fragments are not received by the timeout, 
the entire IP packet is discarded and an ICMP "timeout during reassembly" error 
is sent back.

Now add your firewall, which drops fragment 1. Your 1500 byte IP packet times 
out during reassembly and TCP retries, by sending another 1500 byte packet. 
Repeat. Eventually, TCP will time out and you'll get a connection termination.

IP stack parameters (such as Path MTU Discovery) and external variable (such as 
the MTUs of all the hops between hosts) can also affect whether or not a given 
connection will be affected.

Maybe I ought to submit this to the FAQ maintainer....

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.