Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Firewall Mangle- modifies MSS- to learn RouterOS Department from scratch

2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

The purpose of this chapter is:

Deal with end-to-end network problems, such as common web pages can not be opened, QQ can be accessed.

The display of the web page is incomplete, such as the picture is not displayed.

Access issues in branch interconnection.

Mainly understand the inter-area routing and the transmission process of the server and client.

I. Application operation

1. First, let's talk about how to modify MSS:

Go to IP > Firewall > Mangle, and click the + sign to create a new rule, as follows:

Then in the advanced options:

Action option

The MTU of PPPOE is 1480

two。 Comparison of the results:

How many MSS is requested by SYN before modification, and the corresponding return packet is the payload payload?

SYN request

This is the load data size of the reply.

After modifying 1420, the following three figures are shown:

SYN request:

Corresponding to the returned message:

Second, conceptual understanding:

The largest transmission unit of MTU,Maximum Transmission Unit, the working data link layer, belongs to the second layer of OSI.

The IP,Internet Protocol Address Internet protocol address, which works at the network transport layer, belongs to the third layer of OSI.

TCP,Transmission Control Protocol transmission control protocol, which works in the transport layer, belongs to the fourth layer of OSI.

UDP,User Datagram Protocol user Datagram protocol, which works in the transport layer, belongs to the fourth layer of OSI.

MSS,Maximum Segment Size, the maximum message segment length, is a sub-item of the TCP protocol and also works at layer 4 of OSI.

MSS=MTU-40-40 contains 20-byte IP headers and 20-byte TCP headers

Third, the popular understanding of the MSS principle in TCP:

The server has a container with an empty container of 40T and a load of 1460T, and the associated cargo happens to be 1500T. Oh, send it to us!

The network is like many transmission and forwarding stations (routers), connecting different conveyor belts, some 1500T and 1400T.

The empty container on the 1400T conveyor belt is still 40T, but the load is only 1360T.

When the goods of the server are forwarded from the 1500T conveyor belt to the 1400T conveyor belt, the container will be split and reloaded, and the 1460T cargo will be divided into two cabinets, one with 1360T and the other with 100T, which obviously increases the workload of the forwarding station. when it comes to us, our local router will reinstall the two cabinets and send them to us as a 1460T cabinet. We can see the page, the principle is perfect!

But at this time, the forwarding station will be very busy, because one thing has to be done twice, so busy mistakes lead to the failure to encapsulate the complete thing.

In addition, when passing through different forwarding stations, some forwarding stations will limit your PIR rate (Peak Information Rate, peak information rate) to directly lose packets at PIR rate. As a result, the goods received by our local router do not match the board, and we cannot receive the remaining packets after waiting for a long time, so we cannot load these containers back to us in the corresponding order at our local forwarding station, so we can only discard them. So we couldn't open the page of the website for half a day, except for some small containers (text).

The question is, won't TCP retransmit it?

Yes, TCP will retransmit, but the data sent by the server will wait for us to say that it has been received (ACK), but we cannot receive the packet and did not send a reply to ACK. The server waited for a while, but it was retransmitted to us because of the mission. I still did not receive the packet, did not send a reply to ACK, waited for 1 second for the first time, 2 seconds for the second time, and 4 seconds for the third time. Generally, it was retransmitted 15 times by default. And so on, until the retransmission timeout RTO, severing the connection.

RTO has a minimum of 200ms and a maximum of 120s in Linux, which can be set in the kernel.

Router OS can also set the time of connection tracking in the firewall.

Fourth, the benefits of modifying MSS

Modify the size of the MSS, that is, actively negotiate with the server about the payload of each packet sent to our router, so that the packet can be sent back to us at once in the transmission path, reducing the problem of packet loss caused by fragmentation. If we lose packets, we can also distinguish which packets have been lost. To put it simply, the process of splitting and encapsulation is minimized in the external forwarding path, and is reorganized only on our router.

5. Why only modify MSS and not MTU is recommended

Good question, just because we are in the fourth layer of OSI, not only the TCP protocol, but also UDP!

MSS depends on TCP, modified MTU can reduce MSS, but also reduce the transmission efficiency of our UDP. We also have a lot of UDP-based protocols, such as QQ,IP phones, video conferencing and so on.

So we recommend modifying MSS instead of MTU, unless your route does not support MSS modification.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report