From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 26 23:12:43 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 22617106564A for ; Mon, 26 Mar 2012 23:12:43 +0000 (UTC) (envelope-from terrence@mediamonks.net) Received: from mail.mediamonks.net (mail.mediamonks.net [217.195.117.200]) by mx1.freebsd.org (Postfix) with ESMTP id A72028FC14 for ; Mon, 26 Mar 2012 23:12:42 +0000 (UTC) X-CGP-Sophos: Scanned and found clean X-Abuse-Info: Send abuse reports about this email to abuse@mediamonks.net Received: from [46.44.172.93] (account terrence@mediamonks.com) by mail.mediamonks.net (CommuniGate Pro IMAP 5.4.2) with XMIT id 8562934 for ipfw@freebsd.org; Tue, 27 Mar 2012 01:12:41 +0200 Date: Tue, 27 Mar 2012 01:12:40 +0200 Organization: MediaMonks B.V. Message-Id: MIME-Version: 1.0 Thread-Topic: Packetloss due to ipfw + kernel NAT? Priority: Normal Importance: normal X-MSMail-Priority: normal X-Priority: 3 Sensitivity: Normal Thread-Index: Ac0LpfC9h+jugILzS6qNF2k0NywH/Q== From: "Terrence Koeman" To: "ipfw@freebsd.org" X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.6/1.54.0.6 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Cc: Subject: Packetloss due to ipfw + kernel NAT? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2012 23:12:43 -0000 I was troubleshooting an intermittent network connectivity problem, and I n= oticed something weird. My situation: [internet]<->[freebsd box]<->[clients] FreeBSD box (9-STABLE) has 172.16.0.1 on int0 (mtu 1500), x.x.172.84-85 on = ng0 (pppoe via mpd, mtu 1492). Clients are assigned from 172.16.10/24{100-2= 00}. I stripped almost everything from my ruleset, so this remains: natip=3D"x.x.172.85" $cmd enable one_pass $cmd nat 10 config ip ${natip} same_ports $cmd add 04020 nat 10 all from any to ${natip} in $cmd add 04031 nat 10 all from ${intnet} to not ${intnet} out Now, I suspected a MTU issue, so I tried some different packet sizes to see= what happens: On FreeBSD box: ping -S x.x.172.84 -s 1400 mediamonks.net -> no packetloss ping -S x.x.172.84 -s 1500 mediamonks.net -> no packetloss ping -S x.x.172.84 -s 2500 mediamonks.net -> no packetloss ping -S x.x.172.84 -s 3000 mediamonks.net -> no packetloss ping -S x.x.172.84 -s 5000 mediamonks.net -> no packetloss ping -S x.x.172.85 -s 1400 mediamonks.net -> no packetloss ping -S x.x.172.85 -s 1500 mediamonks.net -> ~40% packetloss ping -S x.x.172.85 -s 2500 mediamonks.net -> ~40% packetloss ping -S x.x.172.85 -s 3000 mediamonks.net -> ~3% packetloss ping -S x.x.172.85 -s 5000 mediamonks.net -> no packetloss On client 172.16.10.101 (Windows 7 x64): ping -l 1400 mediamonks.net -> no packetloss ping -l 1500 mediamonks.net -> ~40% packetloss ping -l 2500 mediamonks.net -> ~40% packetloss ping -l 3000 mediamonks.net -> no packetloss ping -l 5000 mediamonks.net -> no packetloss If I set natip to x.x.172.84 the packetloss moves to that IP and remains th= e same for the client. Forcing the MTU on the Windows client to 1492 does n= ot change the result. I double checked the result for packetsize 3000 since= the result differs between the client and the FreeBSD box, but there is re= ally no packetloss for the client while there is some on the FreeBSD box. Does someone know what is happening here? Is this a bug in ipfw? -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence.