From owner-freebsd-pf@FreeBSD.ORG Tue May 20 15:55:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3367A1065671 for ; Tue, 20 May 2008 15:55:55 +0000 (UTC) (envelope-from cbredi@bofhserver.net) Received: from ti-out-0910.google.com (ti-out-0910.google.com [209.85.142.191]) by mx1.freebsd.org (Postfix) with ESMTP id C9D2A8FC1B for ; Tue, 20 May 2008 15:55:54 +0000 (UTC) (envelope-from cbredi@bofhserver.net) Received: by ti-out-0910.google.com with SMTP id d27so1299939tid.3 for ; Tue, 20 May 2008 08:55:53 -0700 (PDT) Received: by 10.150.11.1 with SMTP id 1mr7703015ybk.5.1211297459016; Tue, 20 May 2008 08:30:59 -0700 (PDT) Received: by 10.150.206.14 with HTTP; Tue, 20 May 2008 08:30:58 -0700 (PDT) Message-ID: <2f12f40a0805200830l7836d640s69c55af837d475d9@mail.gmail.com> Date: Tue, 20 May 2008 18:30:58 +0300 From: "Cristian Bradiceanu" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pf reply-to tcp connections stall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2008 15:55:55 -0000 Hello, I am trying to set up split routing on two Internet links, each with one IP address: em0 = wan1, $em0_gw gateway em1 = lan, NATed on em0 and em2 em2 = wan2, default gateway pass in on em0 reply-to (em0 $em0_gw) inet proto tcp from any to em0 flags S/SA keep state pass in on em0 reply-to (em0 $em0_gw) inet proto udp from any to em0 keep state pass in on em0 reply-to (em0 $em0_gw) inet proto icmp from any to em0 keep state wan2 connections are working correct, no pf rules for policy routing wan1 tcp connections to IP of em0 (e.g. ssh) stall when a large amount of data is sent (e.g. running dmesg or cat file). States are created correctly. When ssh stalls there are some icmp packets out on lo0 with source and destination ip address of em0, which I believe is not correct (set skip on lo0 does not help). Also tried with tcp ... modulate state but same result. If I change default gateway to $em0_gw and disable pf all connections on wan1 are ok. I also tried to use route-to instead of reply-to with: pass out on em2 route-to (em0 $em0_gw) from em0 to any both with keep state and no state options - same ssh connection stall. System is FreeBSD 7.0-STABLE amd64. Kind regards, Cristian