Some users cannot access my web site--firewall problem?

I'm running an archive of Jeopardy! clues and responses off of an OpenBSD/Apache server at j-archive.com. Some users have reported that they are never able to access the site. One user is able to access the site with his laptop from his parents' house, but not from his own house--and no settings are being changed on his laptop. Users that are unable to access the site (their browser gives them a "This page cannot be displayed" error) ARE able to successfully ping and tracert the server.

My best guess is that there is some combination of firewall rules both from my and and from theirs that is blocking access to j-archive.com. My packet filter rules are quite strict, but they allow all web traffic on port 80. And again, most users have no problem accessing the site.

I would like to correct whatever problem on my end may be causing the issue, and/or provide instructions for remote users so that they can solve whatever problems may be on their end. Has anyone run into this sort of problem before?

Here is the thread on the official Jeopardy! Message Board wherein some of the users describe the problem. I've asked them to post IP addresses from which they can and cannot access the archive. (Is that even a useful question to ask?)

formatting link

All the best, Robert K S

In article , wrote: :I'm running an archive of Jeopardy! clues and responses off of an :OpenBSD/Apache server at j-archive.com. Some users have reported that :they are never able to access the site. One user is able to access the :site with his laptop from his parents' house, but not from his own :house--and no settings are being changed on his laptop. Users that are :unable to access the site (their browser gives them a "This page cannot :be displayed" error) ARE able to successfully ping and tracert the :server.

Not necessarily a firewall problem per se -- it sounds like an MTU problem. Does your server have PMTUD (Path MTU Discovery) enabled? Is your firewall set to permit icmp "FragNeeded" ? Is your firewall set up to override TCPMSS to a high value?

Sometimes the fault is not really at your end. For example, you could have PMTUD configured completely correctly, but the user might not have it done right (or at all.) The user you mention who cannot access from home might be using a system at home that uses PPPoE, which uses 8 bytes of overhead (sometimes closer to 150 bytes, on some DSL implimentations!). If the user's system isn't configured for PMTUD then their system would be able to handle data up to 1492 bytes per packet whereas (because their system didn't tell you otherwise) you are trying to send 1500 bytes per packet.

If the problem is PMTUD, then you could work around it on user's behalf by lowering your MTU by 8 bytes (for working PPPoE), or various other magic size reductions (e.g., 48 bytes) to accomedate increasely poorly implimented PPPoE or other encapsulation.

One question to ask is whether the people who have trouble getting through are on residential DSL (which often uses PPPoE) and if when they are able to access it from other sites (e.g., parents) whether that other site is on some other type of connection such as broadband cable.