Firewall masquerade and MTU problems

I have done an unplanned upgrade of a server from CentOS 8 Stream to Rocky 9.5. This server also has the PPPoE Internet connection so provides Internet access to all other IP devices on the LAN via NAT masquerade. Initially I had a lot of network timeout failures for devices other than the server itself. I have tracked the problem to the PPPoE interface having a MTU of 1492 while the LAN MTU is 1500.

On my earlier system this all just worked. From what I understand “MTU discovery” should take care of this but I don’t know how that actually works. If I manually change the LAN MTU to 1492 on a device using the server as its gateway it works fine. So for now I have simply added “option interface-mtu 1492;” to dhcpd.conf and now have a working system.

However I suspect this not how things are meant to be done?

I used firewall-cmd to set things up, using Linux NAT Firewall Setup as a starting point. There were a few things in their set up script which I had not seen or used before.

Firstly there was:

firewall-cmd --zone=internal --add-masquerade --permanent

Which I assume I don’t actually need for local device that want Internet access. Later I will want to forward a port for my KiwiSDR to give public access, as I had before. So maybe I will need it when I try to get that working again?

There were some new commands I had not seen before that apparently relate to Rocky 9, so used them to. I don’t know if they are relevant to the problems I had. They are:

# This next bit is needed for RHEL 9, Rocky 9, Fedora 35+
# create new policy to allow traffic forwarding between zones
firewall-cmd --permanent --new-policy policy_int_to_ext
firewall-cmd --permanent --policy policy_int_to_ext --add-ingress-zone internal
firewall-cmd --permanent --policy policy_int_to_ext --add-egress-zone external
firewall-cmd --permanent --policy policy_int_to_ext --set-priority 100
firewall-cmd --permanent --policy policy_int_to_ext --set-target ACCEPT

I did all the network set up using the nmcli commands so the NetworkManager should be in control of everything, I think.

So open to pointers on if I should be doing anything differently, or links to relevant reading.

Thanks

The FirewallD is a frontend, a “middleware”. It creates rules for the backend, nf_tables in the kernel.
One can see what the “logical” FirewallD config translates into with:
[EDIT]

nft list ruleset

[/EDIT]
It is a bit long list, with plenty of empty chains, so spotting “the beef” takes effort.

I don’t know PPPoE or MTU, but why do I associate the MTU discovery with IPv6?

Thanks for that. The best I could find was the files that firewalld has in the /etc/firewalld/ directory. I tried comparing that with a backup from the earlier Centos * install, but that was not helpful.

Isn’t ‘dnf’ the latest package manager? “dnf list ruleset” just gives the error “No matching Packages to list”

PPPoE is “Point-to-Point Protocol over Ethernet” which is the protocol my ISP uses for my fibre connection. MTU is “Maximum Transmission Unit”, or the largest IP packet size a network device. Because the Internet interface maximum packet size is 8 bytes smaller than the LAN interface then packets over a certain size will be truncated, corrupting them, unless the situation is handled correctly.

By forcing the LAN packet size limit to match the Internet connection I have stopped the issue, but I don’t think the way I have done it is meant to be necessary. Google was ok about warning about the issue but rather sparse on information about dealing with it in the era of nf_tables.

My bad.

nft list ruleset

In principle, that config ought to be transferrable. Alas, the FirewallD in CentOS 7 did lack support for things, like inter-zone rules (i.e. rules for “real router”, which the “Policy Objects” now implement). Hence, the config options have changed. Translating from one system to another is almost never fully automatic.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.