From owner-freebsd-net@freebsd.org Sun May 22 14:08:14 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E61A8B45596 for ; Sun, 22 May 2016 14:08:14 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 834891FDF for ; Sun, 22 May 2016 14:08:14 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: by mail-wm0-x235.google.com with SMTP id i142so6018886wmf.0 for ; Sun, 22 May 2016 07:08:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to; bh=mlUTx7hk9INXFQHF5Y7eW4sfGXTqVDiM88ktJ1oPttk=; b=mQ4+gHWzn+UBurZqSV54UPQYAhoWZKoX1ILo8XQVYyB321E16LjrYEugd5rT64IW4H doZLo54kx+iNp0qFHytq6KGV5SzaFqUNizZtfOlFui1xsevJ3OxWZEUQNY+T6sDqJxkC 6aKE82LmTsFHhBs9/uQChQagGSBb2xWq1osegC+bybZySWoLrwP0uyZrrOi6axmzAriZ SfyRwqUlssI1NaBJ0pmmK5N601GoynN0kHxCXvRWDW9bKuffPmfzrg01jiguigG9sSKC twfa3/Z46p5xr2ExmD9xAA2WqrAeE7nmPxbhr/mG92n1ZNnn59p4/FF3au7izoyVc+lH QdWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=mlUTx7hk9INXFQHF5Y7eW4sfGXTqVDiM88ktJ1oPttk=; b=meiUGugaPOJh1jZP1p/4fI2aFHMafiBXVlPn2zCIkveoQJdEpgVjKMTIQerVCtuHTj umD9lvBnDYsAbDNBz0axOEwtXQboWNL5Iyf2reZDwyk/3AM6mmbDa8jxxNH3vYLEfpVT AbsL5vyM25A9JNaM4w/WH+S5sMQzgq5eQASTzec6//gyZeAqUPIlEAbgc2WKPiBWbMYp uq9lB81xR3D6oHsrAWzJmx63ZiaE1+CReG8XudCW28ylJ+PdWIExL/52BaX94OJyYUSc V9bTvRk0QXKbpe5+gvBQpQExmH+AiDkFcjfWrqOqXf7TJY8K7TbiaIm5pkYuihm3NA70 m40A== X-Gm-Message-State: AOPr4FVgVsKcttvTK05yX269u78B/UElYt7coi6tvGr9c42b56Ryo9OKvy4eOO7o2HNFRbXcdY+WrfYgfk0lcQ== MIME-Version: 1.0 X-Received: by 10.194.133.135 with SMTP id pc7mr12217215wjb.49.1463926092579; Sun, 22 May 2016 07:08:12 -0700 (PDT) Received: by 10.28.143.19 with HTTP; Sun, 22 May 2016 07:08:12 -0700 (PDT) Date: Sun, 22 May 2016 16:08:12 +0200 Message-ID: Subject: epair(4) + bridge(4) + pf(4) nat strangeness From: Nikolay Denev To: "freebsd-net@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2016 14:08:15 -0000 Hi, I'm seeing something strange on my home router that I can't really explain so any suggestions are welcome. The machine is an Alix APU running FreeBSD mars.home.lan 10.3-STABLE FreeBSD 10.3-STABLE #7: Wed May 18 19:03:58 UTC 2016 root@mars.home.lan:/usr/obj/usr/src/sys/MARS amd64 It is compiled from svn rev 299223 with added the Codel+Pie patch for ipfw which is not in use at the moment as ipfw has a single pass rule, and the rest is in pf.conf (also in pf.conf I use ALTQ_CODEL) re2 interface is connected to the ISP and pf.conf has "nat on re2" statement, internal LAN network is connected to re0 and wireless clients on wlan0, both are bridged in bridge0. Since I wanted to run Suricata IDS for all internal traffic (both LAN and WLAN), I have created a epair(4) interface, with one end added as "span" port in bridge0, and the other I'm using in Suricata. And here is where the strange stuff happens. For some reason on this epair0b interface I'm seeing what it looks like duplicated traffic from before and after being NATed. For example, short tcpdump on epair0b shows this: 13:54:22.352206 IP (tos 0x0, ttl 63, id 29857, offset 0, flags [DF], proto TCP (6), length 1480) 10.0.0.13.51413 > XXX.XXX.XXX.XXX.12325: Flags [.], cksum 0xbca8 (correct), seq 59040:60480, ack 88, win 1035, length 1440 13:54:22.355368 IP (tos 0x0, ttl 63, id 29856, offset 0, flags [DF], proto TCP (6), length 1480) ZZZ.ZZZ.ZZZ.ZZZ.51413 > XXX.XXX.XXX.XXX.12325: Flags [.], cksum 0x69d8 (correct), seq 59040:60480, ack 88, win 1035, length 1440 10.0.0.13 here is another FreeBSD box running transmission bt client, and XXX.XXX.XXX.XXX is some random peer on the internet, but after this I see on the interface the second packet which looks identical with ip id minus one, and ZZZ.ZZZ.ZZZ.ZZZ is my public IP address assigned to re2. When doing tcpdump directly on bridge0, re0 or wlan0 I do not see this. --Nikolay