pf reply-to tcp connections stall

Cristian Bradiceanu cbredi at bofhserver.net
Tue May 20 15:55:55 UTC 2008


Hello,

I am trying to set up split routing on two Internet links, each with
one IP address:

em0 = wan1, $em0_gw gateway
em1 = lan, NATed on em0 and em2
em2 = wan2, default gateway

pass in on em0 reply-to (em0 $em0_gw) inet proto tcp from any to em0
flags S/SA keep state
pass in on em0 reply-to (em0 $em0_gw) inet proto udp from any to em0 keep state
pass in on em0 reply-to (em0 $em0_gw) inet proto icmp from any to em0 keep state

wan2 connections are working correct, no pf rules for policy routing

wan1 tcp connections to IP of em0 (e.g. ssh) stall when a large amount
of data is sent (e.g. running dmesg or cat file). States are created
correctly. When ssh stalls there are some icmp packets out on lo0 with
source and destination ip address of em0, which I believe is not
correct (set skip on lo0 does not help). Also tried with tcp ...
modulate state but same result.

If I change default gateway to $em0_gw and disable pf all connections
on wan1 are ok.

I also tried to use route-to instead of reply-to with:

pass out on em2 route-to (em0 $em0_gw) from em0 to any

both with keep state and no state options - same ssh connection stall.

System is FreeBSD 7.0-STABLE amd64.

Kind regards,
Cristian


More information about the freebsd-pf mailing list