From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 08:53:13 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 832BE16A4CE; Tue, 14 Dec 2004 08:53:13 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id B663343D62; Tue, 14 Dec 2004 08:53:12 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id iBE8rBvm062412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 14 Dec 2004 11:53:11 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id iBE8rANe043084 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Dec 2004 11:53:11 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id iBE8rAOx043083; Tue, 14 Dec 2004 11:53:10 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Tue, 14 Dec 2004 11:53:10 +0300 From: Gleb Smirnoff To: Peter Pentchev Message-ID: <20041214085310.GC42820@cell.sick.ru> Mail-Followup-To: Gleb Smirnoff , Peter Pentchev , freebsd-net@freebsd.org, Darren Reed References: <20041214080549.GC3183@straylight.m.ringlet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20041214080549.GC3183@straylight.m.ringlet.net> User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20041013, clamav-milter version 0.75l on 127.0.0.1 X-Virus-Status: Clean cc: Darren Reed cc: freebsd-net@freebsd.org Subject: Re: IPFilter, mpd/Netgraph problems on RELENG_4 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 08:53:13 -0000 Peter, does the problem disappear if you turn ipfilter off, and run natd on this interface? it is not clear from your mail. On Tue, Dec 14, 2004 at 10:05:50AM +0200, Peter Pentchev wrote: P> I am seeing a lot of ICMP Must Fragment packets with incorrect ICMP P> checksums on a RELENG_4 box which holds up 40-60 PPTP (mpd/Netgraph) VPN P> connections at any given time. The peer understandably ignores the ICMP P> packet with a bad checksum and never fragments the offending TCP packet, P> effectively killing the connection after a while. P> P> A major point is that I'm only seeing them on the interfaces NAT'ed by P> ipnat. Is anybody else having trouble with ICMP checkums with IPFilter P> 3.4.35 on a reasonably recent RELENG_4 box? P> P> FreeBSD unnamed 4.10-STABLE FreeBSD 4.10-STABLE #1: Thu Dec 2 10:31:16 EET 2004 root@unnamed:/usr/obj/usr/src-bsd/4.0S/src/sys/UNNAMED i386 P> P> drwxr-xr-x 2 root wheel 512 Dec 2 11:43 /var/db/pkg/mpd-3.18_2 -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE