Date: Mon, 29 Jun 2015 10:52:01 +0200 From: Milan Obuch <freebsd-pf@dino.sk> To: Daniel Hartmeier <daniel@benzedrine.ch> Cc: Ian FREISLICH <ian.freislich@capeaugusta.com>, freebsd-pf@freebsd.org Subject: Re: Large scale NAT with PF - some weird problem Message-ID: <20150629105201.7ee24e38@zeta.dino.sk> In-Reply-To: <20150629082654.GA22693@insomnia.benzedrine.ch> References: <20150620182432.62797ec5@zeta.dino.sk> <20150619091857.304b707b@zeta.dino.sk> <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com> <E1Z6dHz-0000uu-D8@clue.co.za> <E1Z6eVg-0000yz-Ar@clue.co.za> <20150621195753.7b162633@zeta.dino.sk> <E1Z7Ixx-0006K1-5p@clue.co.za> <E1Z7K1Y-0006Ph-ON@clue.co.za> <20150623112331.668395d1@zeta.dino.sk> <20150628100609.635544e0@zeta.dino.sk> <20150629082654.GA22693@insomnia.benzedrine.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Jun 2015 10:26:54 +0200 Daniel Hartmeier <daniel@benzedrine.ch> wrote: > On Sun, Jun 28, 2015 at 10:06:09AM +0200, Milan Obuch wrote: >=20 > > So, now I am at 10.2-PRERELEASE, r284884, and the issue is still > > here. It is totally weird, just change of IP the device is being > > natted to makes the issue disappear for this particular customer, > > but as soon as this exact IP is used again, the issue is here again. >=20 > Do you have access to the upstream router? > Can you check its ARP table? No, I do not have access here, I can't get info from there directly. I could get some info from some admin, but this would take some time, and I do not think it could really help me... > It could have a static ARP entry for this specific IP address, or > there could be an address conflict for that IP address... Well, no reason for that, some more background below. > Can't you tell us the network, netmask and the IP address? > Not even with the first octet redacted? Well, I do not like to give full details in public, but partially redacted - all public address are from one /16 block, lets call it x.y.0.0/16. On my side, uplink interface is em0 with IP x.y.3.19/29, on upstream router, there is x.y.3.17/29, used as default gateway for me. On upstream router, there is statically routed network x.y.24.0/22 to x.y.3.19, my IP. Other IPs on uplink segment are not used currently. =46rom this x.y.24.0/22 address block, some smaller segments are directly connected to my box, such as public servers (DNS, www, mail...) or some customers with dedicated public IP. For this purpose, x.y.24.0/24 address block is used, divided into smaller segments. Next block, x.y.25.0/24, is used mainly for binat'ed IPs, in pf.conf one will see handfull of binat on $if_ext from 172.a.b.c to any -> x.y.25.z statements, and the rest, x.y.26.0/23, is used as $pool_ext, assigned dynamically to all customers. Per Ian's advice, I am currently testing my setup with just x.y.26.0/24 being used for NAT pool. As for question about ARP - I think there is not anythink like static arp on upstream router. I could ping the offending address from outside and see them arriving on uplink interface, em0, with tcpdump. No replies are being generated, however, but I considered this as good evidence there is nothing blocking me on upstream router. Does this answerred your question fully or something more would be usefull? Regards, Milan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150629105201.7ee24e38>