From owner-freebsd-questions@FreeBSD.ORG Fri Jul 31 18:36:28 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AD071065672 for ; Fri, 31 Jul 2009 18:36:28 +0000 (UTC) (envelope-from mrkhmroan@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id EB9CD8FC1E for ; Fri, 31 Jul 2009 18:36:27 +0000 (UTC) (envelope-from mrkhmroan@gmail.com) Received: by an-out-0708.google.com with SMTP id d14so1099541and.13 for ; Fri, 31 Jul 2009 11:36:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=nFJ4S0+KfXHvcyBE0yVGtHydBYq70X168XiYwgcUsKc=; b=m8OHOG740Web4nI6w43piA7oJU/CA0KBpqF9PpVnrM89jGdOUBpt3AwB0RaeeTRnt2 E904jVilIawL9nO3ksezw7bSqpAWuBUOi8cNii6NBXT5EL4bVM9qjx6HTtlkKLMsToCv VXjIOTLiAi2RhYWfaiB7onnG8DWuN1uwkH5hQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=l5gws8AFL0H9ZV0KbvInznX5l2F/bi+AMjz/GjyQuayN9Z4XSemSkGeg95JXJtgly8 KbuIDXKckFkq45XGhgYsZRIattGKOxvJnceQqGiHU8hLc+SH17NB6G30rlcSwQh3CO8j wnBBL2P5n7OBGcmJanSxxl6mtd/moi4r+QvaY= MIME-Version: 1.0 Received: by 10.231.30.73 with SMTP id t9mr764506ibc.27.1249064156570; Fri, 31 Jul 2009 11:15:56 -0700 (PDT) Date: Fri, 31 Jul 2009 13:15:56 -0500 Message-ID: <548f3c460907311115y5e89341ds91b43cd62c16dbf4@mail.gmail.com> From: markham roan To: questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Windows 2008 + AD + PF + bridge = problems? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 18:36:28 -0000 Has anyone used Windows 2008 and active directory with a bridging, NATing firewall between the domain controller and the 2008 machine? We're in a situation where we're trying to join a domain with a 2008 machine, and no matter what we do to the firewall, joining stalls and fails. DC: Windows Server 2003 Server: Windows Server 2008 Firewall: FreeBSD 6.1 plus PF We're doing bidirectional NAT on the clients, so the DC has a real address while the Server has an RFC1918 address. We are explicitly allowing all traffic between the server and the DC, with and later without keeping state. Windows Server 2003 machines behind the firewall join just fine, and Windows 2008 Server machines outside of the firewall join just fine. A packet capture revealed a number of anomalies. Once the server starts trying to join the domain, we get all sorts of TCP transmission errors, retries, duplicate ACKs etc. In some cases, the public side of the firewall will send an ICMP host-unreachable message for a host which is clearly being BINAT. I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate, anyway. Does anyone have any thoughts and/or advice on where I can go from here?