From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 19 09:13:19 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 5AAF39B0
 for <freebsd-pf@freebsd.org>; Mon, 19 Aug 2013 09:13:19 +0000 (UTC)
 (envelope-from axex007@yandex.ru)
Received: from forward17.mail.yandex.net (forward17.mail.yandex.net
 [IPv6:2a02:6b8:0:1402::2])
 by mx1.freebsd.org (Postfix) with ESMTP id DFBCA2D65
 for <freebsd-pf@freebsd.org>; Mon, 19 Aug 2013 09:13:18 +0000 (UTC)
Received: from smtp16.mail.yandex.net (smtp16.mail.yandex.net [95.108.252.16])
 by forward17.mail.yandex.net (Yandex) with ESMTP id B55571060679;
 Mon, 19 Aug 2013 13:13:12 +0400 (MSK)
Received: from smtp16.mail.yandex.net (localhost [127.0.0.1])
 by smtp16.mail.yandex.net (Yandex) with ESMTP id 5AC2A6A082D;
 Mon, 19 Aug 2013 13:13:12 +0400 (MSK)
Received: from cl103-65-137-95.cl.metrocom.ru (cl103-65-137-95.cl.metrocom.ru
 [95.137.65.103])
 by smtp16.mail.yandex.net (nwsmtp/Yandex) with ESMTP id x679kmrYuU-DBgeFBDl;
 Mon, 19 Aug 2013 13:13:11 +0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1376903591; bh=YmN+iMQ1tIGB79GW7L0ucu8nOJc6BHMHVkQRnTtCgyw=;
 h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:
 References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
 b=Q6lib8Wz9B3qv64DLR7MdXzI7q6tr0smeLYBykvS3FmOVgGKy380nB/RauRwIe5xo
 7za+hN3JRz/T1Q5OglvpE4ljPY/L6WGzfQqV/i8milzlubXdBmRUG3JZBVTw8MD/lW
 GMRfkgW2gf6sSn8yBYkYW3YIWCfdm/S0djQm7O/A=
Authentication-Results: smtp16.mail.yandex.net; dkim=pass header.i=@yandex.ru
Message-ID: <5211E1A7.7070804@yandex.ru>
Date: Mon, 19 Aug 2013 13:13:11 +0400
From: Alexander <axex007@yandex.ru>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Daniel Hartmeier <daniel@benzedrine.cx>
Subject: Re: Windows 7 + freebsd-pf + windows scale SYN-ACK problem
References: <520E1822.7010505@yandex.ru>
 <20130816125058.GA28156@insomnia.benzedrine.cx> <520E35B3.4080607@yandex.ru>
 <20130816171227.GB28156@insomnia.benzedrine.cx>
In-Reply-To: <20130816171227.GB28156@insomnia.benzedrine.cx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 09:13:19 -0000

On 16.08.2013 21:12, Daniel Hartmeier wrote:
> On Fri, Aug 16, 2013 at 06:22:43PM +0400, Alexander wrote:
>
>> My connection with server (port 6666) starts to work and i think i
>> can be satisfied by this solution. But i still cannot understand why
>> packets are dropped without no state rules. As i revealed they are
>> dropped between bridge0 and vlan 1 interfaces.
> This is probably because you filter on bridge0.
>
> There are some sysctl's related to this, run sysctl -a | grep bridge
> I think in some combinations, pf sees packets on the bridge interface
> with the wrong direction.
>
> Do you have a particular reason for filtering on the bridge interface,
> and not just on the physical interfaces?
>
> Daniel
Ok! I tried to remove rxcsum and txcsum on lo0 - didn't help.
> Do you have a particular reason for filtering on the bridge interface,
> and not just on the physical interfaces?
i have 'pass on bridge0 all flags S/SA keep state rule on bridge' , all 
other filters are on physical interfaces.

Here's my full ruleset:
root@gate:~ # pfctl -s rules
pass in quick on vlan1 route-to lo0 inet proto tcp from <My_net> to 
127.0.0.1 port = 3128 flags S/SA keep state
block drop in quick inet proto icmp from any to 255.255.255.255
block drop in quick inet from 127.0.0.0/8 to any
block drop in quick on vlan1 inet from ! <My_net> to any
block drop in log quick on bge0 inet from <My_net> to any
block drop in log quick on bge0 inet from <nat> to any
block drop in log quick on bge0 inet from <block_nets> to any
block drop all
pass in on bge0 inet proto tcp from <branches> to 172.29.27.199 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.199 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.211 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.211 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.197 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.196 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.198 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
http flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
z39.50 flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.196 port = 
http flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.196 port = 
6666 flags S/SA keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.197 keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.196 keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.198 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.197 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.196 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.198 keep state
pass in on vlan1 inet from <nat> to 8.8.8.8 flags S/SA keep state
pass in on vlan1 inet from <nat> to 172.16.172.16 flags S/SA keep state
pass in on vlan1 inet from <nat> to 192.168.192.168 flags S/SA keep state
pass in on vlan1 inet proto udp from <My_net> to 172.29.27.194 port = 
ntp keep state
pass in on vlan1 inet proto tcp from 172.29.27.200 to 172.29.27.194 port 
= 10050 flags S/SA keep state
pass in on vlan1 from <dmz> to ! <ISP_NET> flags S/SA keep state
pass in on vlan1 from <nat> to ! <ISP_NET> flags S/SA keep state
pass in on vlan1 from <My_net> to any flags S/SA keep state
pass on bridge0 all flags S/SA keep state

There's no scrub rules.

My sysctl -s | grep bridge:

net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
dev.pcib.0.%desc: ACPI Host-PCI bridge
dev.pcib.1.%desc: ACPI PCI-PCI bridge
dev.pcib.2.%desc: ACPI PCI-PCI bridge
dev.pcib.3.%desc: ACPI PCI-PCI bridge
dev.pcib.4.%desc: ACPI PCI-PCI bridge
dev.pcib.5.%desc: ACPI PCI-PCI bridge
dev.pcib.6.%desc: ACPI PCI-PCI bridge
dev.hostb.0.%desc: Host to PCI bridge
dev.isab.0.%desc: PCI-ISA bridge


As i mentioned earlier, disabling wscale support on windows 7 makes 
connection between MY_LAN and server in <ISP_NET> on port 6666 work.