Date: Fri, 20 Jan 2017 08:47:43 -0700 From: Alan Somers <asomers@freebsd.org> To: Kristof Provost <kp@freebsd.org> Cc: Bakul Shah <bakul@bitblocks.com>, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: pf & NAT issue Message-ID: <CAOtMX2hTcEkw_WzgtcEEipGY391zB=skrk7O=dknRMMG%2BDa%2BBA@mail.gmail.com> In-Reply-To: <7C29D00C-94C0-4550-B1B2-CE307482B544@FreeBSD.org> References: <20170120083555.ACCF9124AEA4@mail.bitblocks.com> <7C29D00C-94C0-4550-B1B2-CE307482B544@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 20, 2017 at 3:48 AM, Kristof Provost <kp@freebsd.org> wrote: > On 20 Jan 2017, at 9:35, Bakul Shah wrote: >> >> pf seems to drop NAT connections quite a bit. This seems to >> happen much more frequently if there are delays involved (slow >> server or interactive use). Almost seems like pf losing >> track of NATted connections due to an uninitialized >> variable.... Often a retry or two works. Connecting from >> outside to forwarded connections to NATTED hosts works fine. >> >> This problem started after ungrading to freebsd-10. Is there a >> bug fix in works or a known work around (other than using ipfw >> or reverting to 9, which I don't want to do)? >> > The problem you describe doesn=E2=80=99t immediately ring a bell. > > We=E2=80=99ll have to gather a bit more information: > > * What FreeBSD version are you running exactly? > * What=E2=80=99s your pf.conf? > * Can you perform a network capture of rejected/failed connections? Idea= lly > both on LAN and WAN on the gateway machine. Please capture full packet= s > (so > tcpdump -s0 -w lan.pcap) as pcap files). > * What networking cards are you using? > > Regards, > Kristof Under heavy load, pf can drop information from its state table. You can try increasing state table limits to see if it helps the problem. Read the "set limits" section of the pf man page. -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2hTcEkw_WzgtcEEipGY391zB=skrk7O=dknRMMG%2BDa%2BBA>
