Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 01 Sep 2005 10:56:29 +0300
From:      Casper <kl@os.lv>
To:        questions@FreeBSD.org
Subject:   FreeBSD 5.4 router with pf nat, bug?
Message-ID:  <4316B42D.5020503@os.lv>
next in thread | raw e-mail | index | archive | help 

  Hi,

  I have 5.4-RELEASE-p6 test router and I wanted to do all routing/fw 
with pf, to learn more pf...
I have added to kernel options:
device pf
device pflog
device pfsync
options ALTQ

Setuped jails with 172.22.x.x address and local network I have 
192.168.x.x addreses...

ifconfig rl0 is real ip and maped jails... rl1 is internal network...

/etc/pf.conf now looks like:
---------------------------------------------
ext_if="rl0"
int_if="rl1"

set state-policy if-bound
set loginterface $ext_if

scrub reassemble tcp fragment reassemble

nat on $ext_if from 172.1.1.1/8 to any -> ($ext_if)
nat on $ext_if from 192.168.1.1/8 to any -> $ext_if

rdr on $ext_if proto tcp from any to 159.148.155.14 port 8080 -> 
172.22.1.2 port www

antispoof log quick for $ext_if inet
antispoof log quick for $int_if inet

block in log quick on $ext_if inet from any to ! ($ext_if)
pass quick on lo0 all

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags 
S/SA synproxy state
-----------------------------------------------------------------------
The problem is when I make conection from jail or internal network, any 
conection http, ping, etc first package goes trought and got reply, 
second no...
like:
# traceroute www.ass.lv
traceroute to www.ass.lv (195.13.160.54), 64 hops max, 40 byte packets
  1  my_router (my_router)  0.166 ms  0.143 ms  0.130 ms
  2  * next_router (next_router)  1.274 ms *
  3  titan-v12-gw.latnet.lv (159.148.13.150)  1.970 ms *  1.992 ms
  4  * 80.232.230.89 (80.232.230.89)  2.205 ms *

 From my_router all working ok:
1  next_router (next_router)  1.331 ms  0.962 ms  1.037 ms
2  titan-v12-gw.latnet.lv (159.148.13.150)  1.287 ms  0.757 ms  1.660 ms
3  80.232.230.89 (80.232.230.89)  1.218 ms  2.233 ms  1.352 ms

  So only nat`ed packages every second get lost... with tcpdump and pf 
loging all shows that nothing is blocking them...
Any idea what is going on or how to test where is problem?

tnx,

K.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4316B42D.5020503>