Date: Mon, 5 Dec 2016 10:00:33 -0500 From: Chris Ross <cross+freebsd@distal.com> To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Cc: Chris Ross <cross+freebsd@distal.com> Subject: Problems with FreeBSD (amd64 stable/11) router Message-ID: <619F01C2-5A20-4E25-AB0B-4064B598239D@distal.com>
next in thread | raw e-mail | index | archive | help
Hello all. I recently replaced my router with a FreeBSD/11 box =
(stable/11 r308579). I am running a lagg device across two bce=E2=80=99s,=
and 802.1q vlan interfaces atop lagg0. I=E2=80=99m using pf to =
NAT/filter out through a single outside IP address.
I=E2=80=99m having the following problem. Some devices appear to be =
having trouble passing traffic. Of course, I first assumed I was doing =
something wrong with my pf filters, but I believe now that=E2=80=99s not =
the problem. One client machine (a TiVo Roamio) that produces a failure =
reliably, so I=E2=80=99ve been using it for testing, is showing that =
during a TCP session, which starts up fine, in the middle of a POST =
operation to an outside server, there are 1500 byte packets. These =
packets have the DF bit in the IP header, and then never show up on the =
external interface (vlan0). Smaller packets in the same TCP stream do. =
But, I=E2=80=99m also not seeing the ICMP from the router back to the =
client telling it that it cannot send the packet.
I have tried all sorts of changes to my pf rules, including now =
allowing all ICMP unconditionally on all interfaces (pass out log quick =
inet proto icmp all). I have packet traces during the failed =
communication across pflog0, vlan0 (external network) and vlan7 =
(internal network). I=E2=80=99d be happy to answer any questions, or =
provide the traces off-list.
Does anyone have any idea what I=E2=80=99ve missed? Thank you very =
much for your help.
- Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?619F01C2-5A20-4E25-AB0B-4064B598239D>