From owner-freebsd-net@freebsd.org  Fri Jan 20 15:47:45 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 702AFCB83D0
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Fri, 20 Jan 2017 15:47:45 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com
 [IPv6:2607:f8b0:4002:c05::236])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2A5E519F6;
 Fri, 20 Jan 2017 15:47:45 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: by mail-yw0-x236.google.com with SMTP id v200so91487879ywc.3;
 Fri, 20 Jan 2017 07:47:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:sender:in-reply-to:references:from:date:message-id
 :subject:to:cc:content-transfer-encoding;
 bh=/pzNP6rVgiaYmRurSR7P6nebKLNTcRfJWs5jAiNPtcs=;
 b=Ch7buXGo7MbrI8aWKGrHo6fw5pQbGQOZRfMHwG6QVIFl4FwPwtFuW+SDBQbqMmQ4pu
 p0906ZZwhyTnn/IjQ8Jt1nw63lQWTFSFOwwcXiHvcH+zFLPCNdK7ONPO3WqDREMbdClw
 CJCi5u8Qy1CLGBZjOjxbv4IbpoSAzDrG3G/0lCLNu4z8dM6wbxRWu1bQFNC7P8vKE8YJ
 gHsN9RDe+lwHLuZGvKxgo/PoVVsWEnpcteO/jk+IPiKUulMIlwUZzxzERgsw7Mq4Uqxa
 yWovtenH3Vqin0SIQ+dxjHZvYZW7vrbp8iwYb0vtjPWVxVyI26SWf5LGs8jEmzBczoN1
 M95A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
 :date:message-id:subject:to:cc:content-transfer-encoding;
 bh=/pzNP6rVgiaYmRurSR7P6nebKLNTcRfJWs5jAiNPtcs=;
 b=NlzIcBS0QSmfhS+i6SUzWNtFgEzBmqENVtQqGg7ocKHZOUSHn8CzFR4OPlYVpdL7BJ
 3K6mmRAch1oV5g/BX1WaMH9HO/65mHzUHkQy3KkIVTWom36PrFVcmXtpmU/ZNu9iEo1b
 pc6/L2AmnlJKj/TDgOrCbnUeOtouIY5pKcmP9B9JnmMbVZ7qcNVWNI2FUDjfT2G8MQ9A
 1YbIsYGInCkHhV3u+Hjchex6jOlw9uwbYEIV03hwId1p2InZQCeFWVN1istsqhQEYJAd
 rhoduSj4EuHuO7WPsBvRY50sFu6cAREJjIEFiJtOVLJnDCKDskuL8qG/ZhV05fol+CRr
 iPqQ==
X-Gm-Message-State: AIkVDXLrN7lsgkuV3jMduh6gWJd2khmhJ+ehihh4nhluRiJQhdld5eRFsyHOrt+M5zGuWUAGfLHTmdhVBi5b0A==
X-Received: by 10.129.173.71 with SMTP id l7mr11801214ywk.351.1484927264179;
 Fri, 20 Jan 2017 07:47:44 -0800 (PST)
MIME-Version: 1.0
Sender: asomers@gmail.com
Received: by 10.129.38.133 with HTTP; Fri, 20 Jan 2017 07:47:43 -0800 (PST)
In-Reply-To: <7C29D00C-94C0-4550-B1B2-CE307482B544@FreeBSD.org>
References: <20170120083555.ACCF9124AEA4@mail.bitblocks.com>
 <7C29D00C-94C0-4550-B1B2-CE307482B544@FreeBSD.org>
From: Alan Somers <asomers@freebsd.org>
Date: Fri, 20 Jan 2017 08:47:43 -0700
X-Google-Sender-Auth: RDducjuhWXGy8FJnl-O02_7akog
Message-ID: <CAOtMX2hTcEkw_WzgtcEEipGY391zB=skrk7O=dknRMMG+Da+BA@mail.gmail.com>
Subject: Re: pf & NAT issue
To: Kristof Provost <kp@freebsd.org>
Cc: Bakul Shah <bakul@bitblocks.com>, FreeBSD Net <freebsd-net@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2017 15:47:45 -0000

On Fri, Jan 20, 2017 at 3:48 AM, Kristof Provost <kp@freebsd.org> wrote:
> On 20 Jan 2017, at 9:35, Bakul Shah wrote:
>>
>> pf seems to drop NAT connections quite a bit. This seems to
>> happen much more frequently if there are delays involved (slow
>> server or interactive use). Almost seems like pf losing
>> track of NATted connections due to an uninitialized
>> variable....  Often a retry or two works. Connecting from
>> outside to forwarded connections to NATTED hosts works fine.
>>
>> This problem started after ungrading to freebsd-10. Is there a
>> bug fix in works or a known work around (other than using ipfw
>> or reverting to 9, which I don't want to do)?
>>
> The problem you describe doesn=E2=80=99t immediately ring a bell.
>
> We=E2=80=99ll have to gather a bit more information:
>
>  * What FreeBSD version are you running exactly?
>  * What=E2=80=99s your pf.conf?
>  * Can you perform a network capture of rejected/failed connections? Idea=
lly
>    both on LAN and WAN on the gateway machine. Please capture full packet=
s
> (so
>    tcpdump -s0 -w lan.pcap) as pcap files).
>  * What networking cards are you using?
>
> Regards,
> Kristof

Under heavy load, pf can drop information from its state table.  You
can try increasing state table limits to see if it helps the problem.
Read the "set limits" section of the pf man page.

-Alan