From owner-freebsd-pf@freebsd.org  Mon Jun 29 08:52:12 2015
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB75098D550
 for <freebsd-pf@mailman.ysv.freebsd.org>; Mon, 29 Jun 2015 08:52:12 +0000 (UTC)
 (envelope-from freebsd-pf@dino.sk)
Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 51D671BA8
 for <freebsd-pf@freebsd.org>; Mon, 29 Jun 2015 08:52:11 +0000 (UTC)
 (envelope-from freebsd-pf@dino.sk)
Received: from zeta.dino.sk (fw1.dino.sk [84.245.95.252]) (AUTH: LOGIN milan)
 by mailhost.netlabit.sk with ESMTPA; Mon, 29 Jun 2015 10:52:02 +0200
 id 000F19B0.55910732.00002ABA
Date: Mon, 29 Jun 2015 10:52:01 +0200
From: Milan Obuch <freebsd-pf@dino.sk>
To: Daniel Hartmeier <daniel@benzedrine.ch>
Cc: Ian FREISLICH <ian.freislich@capeaugusta.com>,
  freebsd-pf@freebsd.org
Subject: Re: Large scale NAT with PF - some weird problem
Message-ID: <20150629105201.7ee24e38@zeta.dino.sk>
In-Reply-To: <20150629082654.GA22693@insomnia.benzedrine.ch>
References: <20150620182432.62797ec5@zeta.dino.sk>
 <20150619091857.304b707b@zeta.dino.sk>
 <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com>
 <E1Z6dHz-0000uu-D8@clue.co.za> <E1Z6eVg-0000yz-Ar@clue.co.za>
 <20150621195753.7b162633@zeta.dino.sk>
 <E1Z7Ixx-0006K1-5p@clue.co.za> <E1Z7K1Y-0006Ph-ON@clue.co.za>
 <20150623112331.668395d1@zeta.dino.sk>
 <20150628100609.635544e0@zeta.dino.sk>
 <20150629082654.GA22693@insomnia.benzedrine.ch>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; i386-portbld-freebsd10.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2015 08:52:12 -0000

On Mon, 29 Jun 2015 10:26:54 +0200
Daniel Hartmeier <daniel@benzedrine.ch> wrote:

> On Sun, Jun 28, 2015 at 10:06:09AM +0200, Milan Obuch wrote:
>=20
> > So, now I am at 10.2-PRERELEASE, r284884, and the issue is still
> > here. It is totally weird, just change of IP the device is being
> > natted to makes the issue disappear for this particular customer,
> > but as soon as this exact IP is used again, the issue is here again.
>=20
> Do you have access to the upstream router?
> Can you check its ARP table?

No, I do not have access here, I can't get info from there directly. I
could get some info from some admin, but this would take some time, and
I do not think it could really help me...

> It could have a static ARP entry for this specific IP address, or
> there could be an address conflict for that IP address...

Well, no reason for that, some more background below.

> Can't you tell us the network, netmask and the IP address?
> Not even with the first octet redacted?

Well, I do not like to give full details in public, but partially
redacted - all public address are from one /16 block, lets call it
x.y.0.0/16. On my side, uplink interface is em0 with IP x.y.3.19/29, on
upstream router, there is x.y.3.17/29, used as default gateway for me.
On upstream router, there is statically routed network x.y.24.0/22 to
x.y.3.19, my IP. Other IPs on uplink segment are not used currently.

=46rom this x.y.24.0/22 address block, some smaller segments are directly
connected to my box, such as public servers (DNS, www, mail...) or some
customers with dedicated public IP. For this purpose, x.y.24.0/24
address block is used, divided into smaller segments.

Next block, x.y.25.0/24, is used mainly for binat'ed IPs, in pf.conf
one will see handfull of

binat on $if_ext from 172.a.b.c to any -> x.y.25.z

statements, and the rest, x.y.26.0/23, is used as $pool_ext, assigned
dynamically to all customers. Per Ian's advice, I am currently testing
my setup with just x.y.26.0/24 being used for NAT pool.

As for question about ARP - I think there is not anythink like static
arp on upstream router. I could ping the offending address from outside
and see them arriving on uplink interface, em0, with tcpdump. No
replies are being generated, however, but I considered this as good
evidence there is nothing blocking me on upstream router.

Does this answerred your question fully or something more would be
usefull?

Regards,
Milan