From owner-freebsd-questions@FreeBSD.ORG Thu Sep 1 07:56:34 2005 Return-Path: X-Original-To: questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6D9216A41F for ; Thu, 1 Sep 2005 07:56:34 +0000 (GMT) (envelope-from kl@os.lv) Received: from trollis.latnet.lv (trollis.latnet.lv [159.148.1.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0512F43D48 for ; Thu, 1 Sep 2005 07:56:30 +0000 (GMT) (envelope-from kl@os.lv) Received: from localhost (localhost.localdomain [127.0.0.1]) by trollis.latnet.lv (Postfix) with ESMTP id 62E201FF49E for ; Thu, 1 Sep 2005 10:56:29 +0300 (EEST) Received: from trollis.latnet.lv ([127.0.0.1]) by localhost (trollis.latnet.lv [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14262-13 for ; Thu, 1 Sep 2005 10:56:26 +0300 (EEST) Received: from os.lv (unknown [159.148.155.3]) by trollis.latnet.lv (Postfix) with SMTP id B242A1FF655 for ; Thu, 1 Sep 2005 10:56:26 +0300 (EEST) Received: from 80.70.26.44 ([80.70.26.44]) by os.lv (WinRoute Pro 4.1) with SMTP; Thu, 1 Sep 2005 10:59:50 +0300 Message-ID: <4316B42D.5020503@os.lv> Date: Thu, 01 Sep 2005 10:56:29 +0300 From: Casper User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: questions@FreeBSD.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new 2.2.1 (20041222) at latnet.lv Cc: Subject: FreeBSD 5.4 router with pf nat, bug? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 07:56:34 -0000 Hi, I have 5.4-RELEASE-p6 test router and I wanted to do all routing/fw with pf, to learn more pf... I have added to kernel options: device pf device pflog device pfsync options ALTQ Setuped jails with 172.22.x.x address and local network I have 192.168.x.x addreses... ifconfig rl0 is real ip and maped jails... rl1 is internal network... /etc/pf.conf now looks like: --------------------------------------------- ext_if="rl0" int_if="rl1" set state-policy if-bound set loginterface $ext_if scrub reassemble tcp fragment reassemble nat on $ext_if from 172.1.1.1/8 to any -> ($ext_if) nat on $ext_if from 192.168.1.1/8 to any -> $ext_if rdr on $ext_if proto tcp from any to 159.148.155.14 port 8080 -> 172.22.1.2 port www antispoof log quick for $ext_if inet antispoof log quick for $int_if inet block in log quick on $ext_if inet from any to ! ($ext_if) pass quick on lo0 all pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA synproxy state ----------------------------------------------------------------------- The problem is when I make conection from jail or internal network, any conection http, ping, etc first package goes trought and got reply, second no... like: # traceroute www.ass.lv traceroute to www.ass.lv (195.13.160.54), 64 hops max, 40 byte packets 1 my_router (my_router) 0.166 ms 0.143 ms 0.130 ms 2 * next_router (next_router) 1.274 ms * 3 titan-v12-gw.latnet.lv (159.148.13.150) 1.970 ms * 1.992 ms 4 * 80.232.230.89 (80.232.230.89) 2.205 ms * From my_router all working ok: 1 next_router (next_router) 1.331 ms 0.962 ms 1.037 ms 2 titan-v12-gw.latnet.lv (159.148.13.150) 1.287 ms 0.757 ms 1.660 ms 3 80.232.230.89 (80.232.230.89) 1.218 ms 2.233 ms 1.352 ms So only nat`ed packages every second get lost... with tcpdump and pf loging all shows that nothing is blocking them... Any idea what is going on or how to test where is problem? tnx, K.