From owner-freebsd-net@freebsd.org Fri Jan 20 21:11:57 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D8CFCB9E81 for ; Fri, 20 Jan 2017 21:11:57 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from mail.bitblocks.com (ns1.bitblocks.com [173.228.5.8]) by mx1.freebsd.org (Postfix) with ESMTP id 472F418C5; Fri, 20 Jan 2017 21:11:56 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from bitblocks.com (localhost [127.0.0.1]) by mail.bitblocks.com (Postfix) with ESMTP id BF841124AEA4; Fri, 20 Jan 2017 13:11:55 -0800 (PST) To: "Kristof Provost" , FreeBSD Net , Alan Somers Subject: Re: pf & NAT issue In-reply-to: Your message of "Fri, 20 Jan 2017 12:59:33 PST." <20170120205933.8948A124AEA3@mail.bitblocks.com> References: <20170120083555.ACCF9124AEA4@mail.bitblocks.com> <7C29D00C-94C0-4550-B1B2-CE307482B544@FreeBSD.org> <20170120203106.CD2C8124AEA4@mail.bitblocks.com> <20170120205933.8948A124AEA3@mail.bitblocks.com> Comments: In-reply-to Bakul Shah message dated "Fri, 20 Jan 2017 12:59:33 -0800." Date: Fri, 20 Jan 2017 13:11:55 -0800 From: Bakul Shah Message-Id: <20170120211155.BF841124AEA4@mail.bitblocks.com> X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2017 21:11:57 -0000 On Fri, 20 Jan 2017 12:59:33 PST Bakul Shah wrote: > On Fri, 20 Jan 2017 21:43:33 +0100 "Kristof Provost" wrote: > > On 20 Jan 2017, at 21:31, Bakul Shah wrote: > > >> 11:56:28.168693 IP 192.168.125.7.65042 > 149.20.1.200.21: Flags [P.], > > >> seq 1:10, ack 55, win 1026, options [nop,nop,TS val 198426 ecr > > >> 1468113725], length 9 > > > < 11:56:28.168712 IP 173.228.5.8.52015 > 149.20.1.200.21: Flags [P.], > > > seq 3080825147:3080825156, ack 3912707414, win 1026, options > > > [nop,nop,TS val 198426 ecr 1468113725], length 9 > > > > > > Right here we see the problem. NAT mapping for the > > > port changed from 63716 to 52015. > > > > > Changing source ports is an entirely normal NAT behaviour. > > > > The best explanation is this: imagine that you have two clients A and B, > > both connect to X on port 80 via the NAT gateway G. > > Both use port 1000 as their source port. > > A connects, and the gateway maps A:1000 -> X:80 to G:1000 -> X:80. > > B connects, and now the gateway has to map B:1000 -> X:80 onto G:1000 -> > > X:80, but then it wouldn't be able to tell the two connections apart. > > That't can remap it onto G:1001 -> X:80 instead. > > It is the same connection! As a tcp connection is identified > by , If the port number > changes on the same connection, the remote side would see this > as a separate connection. Let me expand on this a bit. I should've shown one more packet trace. What happens is that the new port number (52015) is associated with this connection from now on so the next packet from the local internal machine is seen by the remote side as belonging to connection <173.228.5.8.52015, 149.20.1.200.21> instead of <173.228.5.8.63716, 149.20.1.200.21> so it is of course going to throw it out. The gateway machine has behaved quite well fr months but memtest is a good idea. Thanks!