Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Jun 2015 09:49:57 +0200
From:      Ian FREISLICH <ian.freislich@capeaugusta.com>
To:        Milan Obuch <freebsd-pf@dino.sk>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Large scale NAT with PF - some weird problem
Message-ID:  <E1Z7Ixx-0006K1-5p@clue.co.za>
In-Reply-To: <20150623073856.334ebd61@zeta.dino.sk>
References:  <20150623073856.334ebd61@zeta.dino.sk> <20150621133236.75a4d86d@zeta.dino.sk> <20150620182432.62797ec5@zeta.dino.sk> <20150619091857.304b707b@zeta.dino.sk> <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com> <E1Z6dHz-0000uu-D8@clue.co.za> <E1Z6eVg-0000yz-Ar@clue.co.za> <20150621195753.7b162633@zeta.dino.sk>
next in thread | previous in thread | raw e-mail | index | archive | help 
Milan Obuch wrote:
> As a first step, I did small upgrade, so now I run FreeBSD 9.3-STABLE
> #0 r284695: Mon Jun 22 08:55:29 CEST 2015.
> =

> I still see the issue, but I found simpler workaround when bad state
> ocurs - using
> =

> pfctl -k <ip.of.affected.client>
> pfctl -K <ip.of.affected.client>
> =

> in this order seems to remedy the issue for this one affected client
> without affecting other clients. This still does not solve the problem,
> just eases the reaction.

How is your NAT rule defined?  I had a closer look at the way I did it:

nat on vlan46 from 10.8.0.0/15 to !<on-our-net> -> xx.xx.xx.xx/24 round-ro=
bin sticky-address

I think you may be missing the "round-robin" that spreads the mapping
over your pool.  The manual says that when more than 1 address is
specified, round-robin is the only pool type allowed, it does not
say that when more than 1 address is specified this is the default
pool option.

You can check your state table to see if it is indeed round-robin.

#pfctl -s sta |grep " ("
...
all tcp a.b.c.d:53802 (10.0.0.220:42808) -> 41.246.55.66:24       ESTABLIS=
HED:ESTABLISHED
all tcp a.b.c.e:60794 (10.0.0.38:47825) -> 216.58.223.10:443       ESTABLI=
SHED:FIN_WAIT_2

If all your addresses "a.b.c.X" are the same, it's not round-robin
and that's your problem.

Ian

-- =

Ian Freislich

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1Z7Ixx-0006K1-5p>