dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
28
stoz
join:2012-03-13

1 edit

stoz to Geekball

Member

to Geekball

Re: [Config] Setup Cisco 877 to work with Bt Infinity

I think I may be getting slightly confused with the MTU values. I've set them subsequently to posting the config, which is why they aren't showing up. I found a few posts on Google where people had done similar to me, and stated that you had to match the MTU to the packet size you settle on doing ping -l -f. It doesn't seem to have made any difference.

For clarity should I just set MTU 1492 on Dialer 1 and MSS 1452 on Dialer 1 too? Do I need to set the MSS on any of the VLAN interfaces?

Oh I tested the VPN from home last night it works fine. I realise now that testing it from the web server doesn't work (1723 isn't opened) and nmap and shields up were correctly reporting that the port is open.

Edit: additionally I find that if I disable the Cisco FW downloads work fine. We can surf the net with the FW up, but no downloads or speed test Not sure what in the FW might be blocking it, but imagine maybe it isn't necessarily specific to using PPPoE like this scenario...
Geekball
join:2004-01-19
UK

Geekball

Member

You should just need to set them on Dialer1 as that's where the limitation is. Other traffic can use a higher MTU and anything going over the Dialer1 interface should automatically get it's MSS lowered to the correct value in the SYN packet.

Given that your downloads work with the firewall off, it's pointing to a problem with the firewall inspection. My guess is you need to add match protocol http to the sdm-cls-insp-traffic class-map.. Make sure you add it before the match protocol tcp

Cheers,

Paul
stoz
join:2012-03-13

stoz

Member

Ok great I'll give that a go. Many thanks again Paul.
stoz

stoz to Geekball

Member

to Geekball
Right well I got somewhere by moving the match http rule above the sdm-class-inspect-traffic rule in the SDM - speedtest got a bit further, but slower than normal, before eventually erroring out. Back to the drawing board I guess.
Geekball
join:2004-01-19
UK

Geekball

Member

Just out of curiosity, what speedtest are you using? I've just started using »www.measurementlab.net/run-ndt which seems to be quite good, can give you some useful info. What errors are you getting? Does anything pop up in the console logs on the router?

You're doing a lot with that router so it could be that it's CPU is maxed. As I said, ours will top out at ~30Mbps downstream just doing NAT - no ZBF at the moment. If it's gotta inspect all the packets coming in as well, I'd expect that to add more load. Try a sh proc cpu history and see what the cpu loads are like. Though, saying that, I'd expect it to just get slower rather than cause a connection to drop if the cpu load was causing the problem..

Cheers
stoz
join:2012-03-13

stoz

Member

I normally just use speedtest.net (37.99 down / 9.00 up)
I had a go with the site you linked and got 37 down / 9 up. I can post the details too but they dont seem amiss.

If you're just using NAT on the router what're you using for the ZBF? Another Cisco or proxy server? NAT on our router is working fine, although non-used ports are closed rather than stealthed. The speed is absolutely fine too, it's only when we enable basic FW that we run into problems.