From owner-freebsd-pf@freebsd.org Thu Jul 9 14:49:01 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90F8699708B for ; Thu, 9 Jul 2015 14:49:01 +0000 (UTC) (envelope-from freebsd-pf@dino.sk) Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 282331C51 for ; Thu, 9 Jul 2015 14:49:00 +0000 (UTC) (envelope-from freebsd-pf@dino.sk) Received: from zeta.dino.sk (fw1.dino.sk [84.245.95.252]) (AUTH: LOGIN milan) by mailhost.netlabit.sk with ESMTPA; Thu, 09 Jul 2015 16:48:51 +0200 id 00E93C14.559E89D3.0000EC74 Date: Thu, 9 Jul 2015 16:48:50 +0200 From: Milan Obuch To: Ian FREISLICH Cc: Daniel Hartmeier , freebsd-pf@freebsd.org Subject: Re: Large scale NAT with PF - some weird problem Message-ID: <20150709164850.334058c6@zeta.dino.sk> In-Reply-To: <20150706163358.11a67ecf@zeta.dino.sk> References: <20150629114506.1cfd6f1b@zeta.dino.sk> <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com> <20150621195753.7b162633@zeta.dino.sk> <20150623112331.668395d1@zeta.dino.sk> <20150628100609.635544e0@zeta.dino.sk> <20150629082654.GA22693@insomnia.benzedrine.ch> <20150629105201.7ee24e38@zeta.dino.sk> <20150629092932.GC22693@insomnia.benzedrine.ch> <20150629125432.7aff9e66@zeta.dino.sk> <20150706163358.11a67ecf@zeta.dino.sk> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; i386-portbld-freebsd10.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 14:49:01 -0000 On Mon, 6 Jul 2015 16:33:58 +0200 Milan Obuch wrote: > On Mon, 29 Jun 2015 12:54:32 +0200 > Milan Obuch wrote: > > > On Mon, 29 Jun 2015 12:42:22 +0200 > > Ian FREISLICH wrote: [ snip ] > > > If the round-robin works with a smaller pool, then I suspect > > > Glebius will be interested. > > > > > > > Well, if he chimes in, I would only welcome that. Currently I am > > waiting for any signs of troubles with shrinked pool, if there will > > be any. > > > > For about a week, I did not receive any complaints, so I think it > works for now. > I did a small experiment, after working some time with no troubles with pool x.y.26.0/24, I tried with x.y.27.0/24, and it troubled again. IP in question is x.y.27.152, as soon as it gets used, affected customer/device has no access to internet. Really weird. So it is not sheer pool size leading to troubles, it is the inclusion of this one IP (maybe some more, but not frequently) in pool which does result in trouble. I am baffled. Regards, Milan