Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Aug 2009 17:29:34 -0700
From:      mojo fms <fbsdlilly@gmail.com>
To:        markham roan <mrkhmroan@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Windows 2008 + AD + PF + bridge = problems?
Message-ID:  <f151ba00908031729v1783f6d7se9c5cf1e8f0396d7@mail.gmail.com>
In-Reply-To: <200908031615.42843.mel.flynn%2Bfbsd.questions@mailing.thruhere.net>
References:  <548f3c460907311115y5e89341ds91b43cd62c16dbf4@mail.gmail.com> <200908031615.42843.mel.flynn%2Bfbsd.questions@mailing.thruhere.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 3, 2009 at 5:15 PM, Mel Flynn <
mel.flynn+fbsd.questions@mailing.thruhere.net<mel.flynn%2Bfbsd.questions@mailing.thruhere.net>
> wrote:

> On Friday 31 July 2009 10:15:56 markham roan wrote:
>
> > A packet capture revealed a number of anomalies.  Once the server starts
> > trying to join the domain, we get all sorts of TCP transmission errors,
> > retries, duplicate ACKs etc.  In some cases, the public side of the
> > firewall will send an ICMP host-unreachable message for a host which is
> > clearly being BINAT.
> >
> > I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to
> > help.  net.inet.ip.intr_queue_drops isn't increasing at a noticeable
> rate,
> > anyway.
> >
> > Does anyone have any thoughts and/or advice on where I can go from here?
>
> No experience with the case at hand, but I do see that Vista started to use
> IGMP protocol even when there's no obvious need to do so. Given that "allow
> all" does in fact only allow a handful of IP protocols, excluding IGMP, you
> may want to investigate if you're not silently blocking (or not
> translating)
> one of the more obscure IP protocols.
> --
> Mel
>  _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>



This might be way off base but I had a server that had issues like that and
it ended up being the network cable going bad.  It would send an ack but if
you captured the ack and other packets at the destination server it would be
missing bits.  I have personally not had an issue with a pf firewall and
server 2008 joining a 2003 domain but network card or cable could cause an
issue like that.

What does tcpdump tell you on the firewall when monitoring PF while it
joins, what rule(s) is it using when it joins?

-- 
Who knew



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f151ba00908031729v1783f6d7se9c5cf1e8f0396d7>