From owner-freebsd-pf@freebsd.org Tue Dec 6 14:34:58 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1927C69EF9; Tue, 6 Dec 2016 14:34:58 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B32511713; Tue, 6 Dec 2016 14:34:58 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: by mail-io0-x235.google.com with SMTP id c21so605732647ioj.1; Tue, 06 Dec 2016 06:34:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=i+tl9Nxsfj9lnWvrPpCosHpKJa9fryseqJkDUdcmCBQ=; b=PsRrpgoOqFGkW4Y4rt4e9c9hVl5mU+WLR2sv5WQwSfffVhGEDfcbRcPZw33y5Ee8Wg fica3OBFU/Fwjv/jmlu5W330T7RFXHG2YCpwxV0SgrKz0nT/QUIvO69WAPMuXEMXLomO Rb+kgVZBu5pxDhSbWOGtHc2inicaeK+SBLK9DJGZoXFFfpqk8VEqgGOUA2Qen2AZPHOf Lz1g5E4TvvIPAtAumPZTAZNYAD3GNvNdKqF4rR3uJXiIClG50lUYZ9+XmA+Ft0X6fzvN 26Oo0lY3Qhh0Ru9zd27SBI8zmrsF3uHmlQsx66SF3DSNURJQWCZGzRIrcnIir/ePhd4v sLsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=i+tl9Nxsfj9lnWvrPpCosHpKJa9fryseqJkDUdcmCBQ=; b=Ih6IGeW+5grkcX4lUg+37I7Pr04gL0+UMl0x6IZSFW4A51DaKXps9M8MeWC71aemn7 76kyNQl62ui1JbKlUOuzUrDxQhtIxegORZb2/fesq/muWZllbUWRJtU4URWEFULn3ZYq Sul2wVsHm6WBGNKfuzvl8ef4vTmUHxmS3Z9A6q881K1C3Su9wSfzDPLlQfzijRcY2omT B/NOdpH42eX+Ga1VCLWDrFdgD1rfNFu0bMZiGzCrLsPmyEgufBCqGAoUqfCqHc1acsMQ 2rLQBW02B3cA2vzZgG4lTXE8Nj3me/zovExQHj8Sv48/6lZWN6XnTd0JsMQqKvlU7wW3 9VEA== X-Gm-Message-State: AKaTC01vsGmei3HZlS7zc0EQXl0MgtzzKquVF73BsygcZ8zaNbSRAVYXz15c8/0iGDXfCsABMeOs+hmKzX1FCQ== X-Received: by 10.36.245.9 with SMTP id k9mr1720013ith.65.1481034896021; Tue, 06 Dec 2016 06:34:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.144.84 with HTTP; Tue, 6 Dec 2016 06:34:55 -0800 (PST) In-Reply-To: <8C636365-DD9D-4375-9418-D540D8D13C56@distal.com> References: <619F01C2-5A20-4E25-AB0B-4064B598239D@distal.com> <8C636365-DD9D-4375-9418-D540D8D13C56@distal.com> From: Ryan Stone Date: Tue, 6 Dec 2016 09:34:55 -0500 Message-ID: Subject: Re: Problems with FreeBSD (amd64 stable/11) router To: Chris Ross Cc: freebsd-net , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2016 14:34:59 -0000 Let me confirm I understand what's happening: 1) You want to use your router to vlan-tag traffic from your network, and then send it out of a lagg over bce interfaces. The bxe interfaces have their MTU set to 1500 and the vlan interface to 1496 2) The TiVo is sending packets with a payload size of 1500 and the DF bit set. If this is the case, then the problem is simply that when the packets are passed through the vlan interface, the payload of the packets exceeds the MTU, but as the DF bit is set, the packets cannot be fragmented. Your choices are either to use a 1500 byte MTU on the vlan interface (assuming that the network that you are routing to can accept 1518 byte packets), or only advertise a 1496 byte MTU in your internal network. On Mon, Dec 5, 2016 at 2:10 PM, Chris Ross wrote= : > > > On Dec 5, 2016, at 11:59, Ryan Stone wrote: > > > > What's the MTU on the bce and vlan interfaces? Does the bce interface > show VLAN_MTU option set (in ifconfig)? > > I had manually set these to try to work out the problem earlier in my > experimentation, but am now back (unless I missed something) to the natur= al > MTUs on all interfaces. The vlan=E2=80=99s all show 1496, and the bee=E2= =80=99s (and > lagg0) show 1500. The options on each of the bce=E2=80=99s show VLAN_MTU= , and a > few other VLAN_ options. > > - Chris > > > > On Mon, Dec 5, 2016 at 10:00 AM, Chris Ross > wrote: > > > > Hello all. I recently replaced my router with a FreeBSD/11 box > (stable/11 r308579). I am running a lagg device across two bce=E2=80=99s= , and > 802.1q vlan interfaces atop lagg0. I=E2=80=99m using pf to NAT/filter ou= t through > a single outside IP address. > > > > I=E2=80=99m having the following problem. Some devices appear to be h= aving > trouble passing traffic. Of course, I first assumed I was doing somethin= g > wrong with my pf filters, but I believe now that=E2=80=99s not the proble= m. One > client machine (a TiVo Roamio) that produces a failure reliably, so I=E2= =80=99ve > been using it for testing, is showing that during a TCP session, which > starts up fine, in the middle of a POST operation to an outside server, > there are 1500 byte packets. These packets have the DF bit in the IP > header, and then never show up on the external interface (vlan0). Smalle= r > packets in the same TCP stream do. But, I=E2=80=99m also not seeing the = ICMP from > the router back to the client telling it that it cannot send the packet. > > > > I have tried all sorts of changes to my pf rules, including now > allowing all ICMP unconditionally on all interfaces (pass out log quick > inet proto icmp all). I have packet traces during the failed communicati= on > across pflog0, vlan0 (external network) and vlan7 (internal network). I= =E2=80=99d > be happy to answer any questions, or provide the traces off-list. > > > > Does anyone have any idea what I=E2=80=99ve missed? Thank you very mu= ch for > your help. > > > > - Chris > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > >