From owner-freebsd-net@freebsd.org Wed Aug 24 15:27:15 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 30CB8BC4EF9 for ; Wed, 24 Aug 2016 15:27:15 +0000 (UTC) (envelope-from leeb@ratnaling.org) Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DB9C51A68 for ; Wed, 24 Aug 2016 15:27:14 +0000 (UTC) (envelope-from leeb@ratnaling.org) Received: by mail-ua0-x22f.google.com with SMTP id n59so34288145uan.2 for ; Wed, 24 Aug 2016 08:27:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ratnaling-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=7f7wOPLL9cC0qCQ9qyPQ3C34CHTWtboMbR3XdASgkmU=; b=Zr/DqfB1gmJJVs1lvXUGrdpFwRvXm3jcqrD3N3bo3t1xBhUJan99TK922PAhZRNc0N y7o8j4doZyGWljpLAkG6gxvtSfCgSX8GHhz7KTymK9M1NVHxUx8BFokiO8LpLZ+D2e8q 3VNqeGFk58mbnPDS3PATNkRPdJ2NY07vE4abv+tXn7YGJbChjSFpojDYVcT9XtkWZ4Md lyN2FAKzNrsNGDSrQibTj/I4UpVazRJpQVvSwpVLsHOjMSs8+AbKAdQk2nGhLAYU8MTW 0PgOu9/dcM57//B7GFnqLpp4bV6o/IxupGoaOXGI8Id8d6GMkOvAuGAzAhQKLjPJO2B9 UfMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=7f7wOPLL9cC0qCQ9qyPQ3C34CHTWtboMbR3XdASgkmU=; b=R3n00VR2tmUopylGAg21xCKXQWj3o+nekWT5Pm/3i1mKBOqxhbarblPcojD3JtGZv3 JFik/SzZIztxBMeUKlYtOgQ8dqa6pNje7n9Pv0UfxFGmjl66lqXbD76TfFVwAH7ebuPe QZmRQqlIj7ZkDlDSasFA4iGlmjkXL+9+2GjAzySJh3Aqsp6cHyleSHeRAhydrnQdiQ0M kGkkRb4bgGdl+LOo6szmEETc4lFiAmoPsdvAk+zBKbUsVVAo7wE/DcXyP7W2RiqNS/2M Jqpt/nra4r4un7Eg7lzh4hQA85KqmYPcKarImX8cpBLmZRqtLvWNW4ybDIloXk5m599R 5BmQ== X-Gm-Message-State: AEkoousNqYeOTUibWQkRi2ukhq42byFgd19Wni4ocg94B0LPXBi8BE8t73WIroe8NAKPZt1AACxzsw2j0ppCBg== X-Received: by 10.31.6.202 with SMTP id 193mr2023229vkg.53.1472052433668; Wed, 24 Aug 2016 08:27:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.1.85 with HTTP; Wed, 24 Aug 2016 08:27:12 -0700 (PDT) In-Reply-To: References: From: Lee Brown Date: Wed, 24 Aug 2016 08:27:12 -0700 Message-ID: Subject: Re: Cannot access a couple websites To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2016 15:27:15 -0000 Probably not at all related, but I had a similar problem, youtube worked fine, but cnn would get partial page loads, through a box NATing a public IP. The culprit for me was MTU was wrong. I had FreeBSD in a Xen VM, using the FreeBSD xn driver utilizing VLAN's. When I used VLAN's on that driver it changed the MTU (manpage does warn of this) from 1500 to 1496. What I was seeing was ICMP need-to-fragment packets sent from the FreeBSD box, which the Linux router upstream just dropped. The fix for me was to create the VLAN in Xen, so the MTU was correct and access the NIC as a non-vlan NIC within the VM. Traceroute worked, pings worked, PC's OK on some sites, 'droids all failed. On Wed, Aug 24, 2016 at 7:02 AM, Carl Hattingh wrote: > Hi > > We are experiencing a issue which has me rather stumped. We are using > Freebsd 10.3-RELEASE-p7 under Hyper-V 2012 R2 as a firewall (pf), and are > unable to browse to www.amazon.com and outlook.office365.com under certain > circumstances. > > The FreeBSD firewall has three interfaces: > > hn0: public /30 with default route pointing to telco NTU device > hn1: public /28 allocated from telco > hn2: private /24 > > NAT is configured on hn0 to nat any outbound traffic to the interface > address: > > nat on hn0 inet from hn2:network to any -> (hn0) > > In this circumstance, all browsing is fine. > > However, if we nat outbound traffic to an address in the /28 public range, > we are unable to browse to www.amazon.com and outlook.office365.com as two > examples. All other sites are fine. > Further, if we add another seperate test VM into the /28 public subnet, the > same issue occurs. In this situation, no nat is taking place, the firewall > is simply routing traffic between the test vm (with a public IP) and the > telco link. > > We are not seeing any traffic being blocked by the pf firewall; we log all > dropped packets with "block return log (all)" > > Packet captures show the connection get up to negotiating the SSL/TLS > parameters (server hello, certificate, certificate status) but then various > TCP retransmissions and keep alive packets are sent from the webserver IP, > and thats where it just sits until the browser times out. > > We are using a kernel with ALTQ enabled, and the issue occurs both when pf > queues are configured and unconfigured. We host a few other services > behind this firewall; no issues that we are aware of. Services are natted > to addresses in the /28 range. > > Toggling scrub on/off also makes no difference. > > The telco is not interested; they claim the traceroutes are fine. (we do > see return traffic) > > I also tried dropping the MTU on the test VM to 1460 with no luck. > > Has anyone got any ideas on what this could be? We'd be grateful for any > assistance. > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"