On Tue, Nov 27, 2001 at 02:10:53PM -0500, Mike Frysinger wrote: vapier> i dont know about the 'performance problems' you speak of vapier> when using PPPoE + NAT ... im running 2 linux boxes as routers vapier> on verizon DSL and both get a constant 60kB (which is what vapier> the cap is for my price package). each box does NAT for vapier> 4-5 people, and each has hit 40+days of uptime w/out any vapier> 'performance problems' ... vapier> -mike PPPoE's MTU is 1492 bytes due to the extra PPP header in the Ethernet frame. Hosts sitting behind a NAT will not know of this reduced MTU and still send IP packets that fill up the Ethernet frames up to a maximum size of 1500 bytes. (WinPoET reduces the MTU for the local machine where it is installed.) When the NAT tries to forward these packets, they will need to be fragmented at the point where they enter the PPPoE link. This causes reduced performance, and in some circumstances can cause packets to be dropped on the floor. Normally, Path MTU discovery should take care of discovering the minimum MTU on the complete path from the source to the destination, but many incorrectly configured routers/firewalls on the Internet drop all ICMP traffic, causing mysterious connectivity loss to destinations behind these broken firewalls due to the failure of the Path MTU to work correctly. You could work around this problem by changing the MTU on all your boxes behind the NAT/PPPoE (this involves changing a registry key on Windows), or by using a hack that "clamps" the TCP MSS (Maximum Segment Size) at the NAT. rp-pppoe, for example, has a built-in feature that does this clamping. Older pppoe packages for Linux used a kernel module called mssclampfw to do the clamping. This clamping only works for TCP, though. If you can live with the limitations and hacks required for PPPoE and NAT, fine. I prefer a "real" connection to the internet. -- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886