From owner-freebsd-questions@FreeBSD.ORG Tue Aug 4 00:29:35 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79F4F106566C for ; Tue, 4 Aug 2009 00:29:35 +0000 (UTC) (envelope-from fbsdlilly@gmail.com) Received: from mail-yx0-f181.google.com (mail-yx0-f181.google.com [209.85.210.181]) by mx1.freebsd.org (Postfix) with ESMTP id 30B118FC08 for ; Tue, 4 Aug 2009 00:29:35 +0000 (UTC) (envelope-from fbsdlilly@gmail.com) Received: by yxe11 with SMTP id 11so6825897yxe.3 for ; Mon, 03 Aug 2009 17:29:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=q67sIIAHTgz+3crwu1eorO8x3iAdJs4qncCXKqel6M4=; b=nCFLKTenaZYSL/zhVmr1PwZwnWgXYci4yxE3XnFny9IBAetwBLKnQ6Lp0HGVvZf+1V TBPlUg+e2Bxk2PDQMAXjRbiuOxDwUEVNjGJ/+/FZTTZXxSciUzXhTS8PvfY01CtqQkDa gdb73WqAf6Msc5yUc5QJqZT5prPiG1ALjv0dU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=AiIiXO/H36Xha1u84moxwRFkJymdAwN64g9dEiRpFMJzhKPEK24oSyUoV8+Wqri8In yRQT/smcrVYQTMOA6sSF0f/v67D8xV40K6RRl9vnVhxtbzRppPMM7c1POlhXUZJiLHcx p1X4onxeO3cLwOIOLwm0UgYyHjWI5LjzNuBVg= MIME-Version: 1.0 Received: by 10.100.165.3 with SMTP id n3mr2207468ane.54.1249345774615; Mon, 03 Aug 2009 17:29:34 -0700 (PDT) In-Reply-To: <200908031615.42843.mel.flynn+fbsd.questions@mailing.thruhere.net> References: <548f3c460907311115y5e89341ds91b43cd62c16dbf4@mail.gmail.com> <200908031615.42843.mel.flynn+fbsd.questions@mailing.thruhere.net> Date: Mon, 3 Aug 2009 17:29:34 -0700 Message-ID: From: mojo fms To: markham roan Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Windows 2008 + AD + PF + bridge = problems? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Aug 2009 00:29:35 -0000 On Mon, Aug 3, 2009 at 5:15 PM, Mel Flynn < mel.flynn+fbsd.questions@mailing.thruhere.net > wrote: > On Friday 31 July 2009 10:15:56 markham roan wrote: > > > A packet capture revealed a number of anomalies. Once the server starts > > trying to join the domain, we get all sorts of TCP transmission errors, > > retries, duplicate ACKs etc. In some cases, the public side of the > > firewall will send an ICMP host-unreachable message for a host which is > > clearly being BINAT. > > > > I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to > > help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable > rate, > > anyway. > > > > Does anyone have any thoughts and/or advice on where I can go from here? > > No experience with the case at hand, but I do see that Vista started to use > IGMP protocol even when there's no obvious need to do so. Given that "allow > all" does in fact only allow a handful of IP protocols, excluding IGMP, you > may want to investigate if you're not silently blocking (or not > translating) > one of the more obscure IP protocols. > -- > Mel > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > This might be way off base but I had a server that had issues like that and it ended up being the network cable going bad. It would send an ack but if you captured the ack and other packets at the destination server it would be missing bits. I have personally not had an issue with a pf firewall and server 2008 joining a 2003 domain but network card or cable could cause an issue like that. What does tcpdump tell you on the firewall when monitoring PF while it joins, what rule(s) is it using when it joins? -- Who knew