Date: Fri, 31 Jul 2009 13:15:56 -0500 From: markham roan <mrkhmroan@gmail.com> To: questions@freebsd.org Subject: Windows 2008 + AD + PF + bridge = problems? Message-ID: <548f3c460907311115y5e89341ds91b43cd62c16dbf4@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Has anyone used Windows 2008 and active directory with a bridging, NATing firewall between the domain controller and the 2008 machine? We're in a situation where we're trying to join a domain with a 2008 machine, and no matter what we do to the firewall, joining stalls and fails. DC: Windows Server 2003 Server: Windows Server 2008 Firewall: FreeBSD 6.1 plus PF We're doing bidirectional NAT on the clients, so the DC has a real address while the Server has an RFC1918 address. We are explicitly allowing all traffic between the server and the DC, with and later without keeping state. Windows Server 2003 machines behind the firewall join just fine, and Windows 2008 Server machines outside of the firewall join just fine. A packet capture revealed a number of anomalies. Once the server starts trying to join the domain, we get all sorts of TCP transmission errors, retries, duplicate ACKs etc. In some cases, the public side of the firewall will send an ICMP host-unreachable message for a host which is clearly being BINAT. I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate, anyway. Does anyone have any thoughts and/or advice on where I can go from here?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?548f3c460907311115y5e89341ds91b43cd62c16dbf4>