From owner-freebsd-pf@freebsd.org  Sun Jun 28 08:06:21 2015
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0729998EC14
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sun, 28 Jun 2015 08:06:21 +0000 (UTC)
 (envelope-from freebsd-pf@dino.sk)
Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 89EEF19C5
 for <freebsd-pf@freebsd.org>; Sun, 28 Jun 2015 08:06:19 +0000 (UTC)
 (envelope-from freebsd-pf@dino.sk)
Received: from zeta.dino.sk (fw1.dino.sk [84.245.95.252]) (AUTH: LOGIN milan)
 by mailhost.netlabit.sk with ESMTPA; Sun, 28 Jun 2015 10:06:09 +0200
 id 00EB08B3.558FAAF1.0000750B
Date: Sun, 28 Jun 2015 10:06:09 +0200
From: Milan Obuch <freebsd-pf@dino.sk>
To: Ian FREISLICH <ian.freislich@capeaugusta.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: Large scale NAT with PF - some weird problem
Message-ID: <20150628100609.635544e0@zeta.dino.sk>
In-Reply-To: <20150623112331.668395d1@zeta.dino.sk>
References: <20150623101225.4bc7f2d0@zeta.dino.sk>
 <20150623073856.334ebd61@zeta.dino.sk>
 <20150621133236.75a4d86d@zeta.dino.sk>
 <20150620182432.62797ec5@zeta.dino.sk>
 <20150619091857.304b707b@zeta.dino.sk>
 <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com>
 <E1Z6dHz-0000uu-D8@clue.co.za> <E1Z6eVg-0000yz-Ar@clue.co.za>
 <20150621195753.7b162633@zeta.dino.sk>
 <E1Z7Ixx-0006K1-5p@clue.co.za> <E1Z7K1Y-0006Ph-ON@clue.co.za>
 <20150623112331.668395d1@zeta.dino.sk>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; i386-portbld-freebsd10.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jun 2015 08:06:21 -0000

On Tue, 23 Jun 2015 11:23:31 +0200
Milan Obuch <freebsd-pf@dino.sk> wrote:

> On Tue, 23 Jun 2015 10:57:44 +0200
> Ian FREISLICH <ian.freislich@capeaugusta.com> wrote:
> 

[ snip ]

> > So, I think that the problem is with 9-STABLE.  I hate "upgrade to
> > solve your problems" answers because they may not.  I do know that
> > 10 has seen a lot of work and none of that work will make it back
> > into 9 because of the PF rewrite.  Maybe someone else in this group
> > will chime in.
> >
> 
> That's OK. I am a bit conservative on upgrades here because with
> hundreds - thousands users you need a bit of stability too, but
> upgrade to 10-STABLE is currently being prepared. That being written,
> it will not occur today.
>

So, now I am at 10.2-PRERELEASE, r284884, and the issue is still here.
It is totally weird, just change of IP the device is being natted to
makes the issue disappear for this particular customer, but as soon as
this exact IP is used again, the issue is here again.

Could anybody help me to debug this better? It looks like I really
REALLY need some help :( Hate to write anything like this, but it is
urgent for me and I am out of ideas...

Regards,
Milan