FreeBSD 5.4 router with pf nat, bug?
Casper
kl at os.lv
Thu Sep 1 00:56:34 PDT 2005
Hi,
I have 5.4-RELEASE-p6 test router and I wanted to do all routing/fw
with pf, to learn more pf...
I have added to kernel options:
device pf
device pflog
device pfsync
options ALTQ
Setuped jails with 172.22.x.x address and local network I have
192.168.x.x addreses...
ifconfig rl0 is real ip and maped jails... rl1 is internal network...
/etc/pf.conf now looks like:
---------------------------------------------
ext_if="rl0"
int_if="rl1"
set state-policy if-bound
set loginterface $ext_if
scrub reassemble tcp fragment reassemble
nat on $ext_if from 172.1.1.1/8 to any -> ($ext_if)
nat on $ext_if from 192.168.1.1/8 to any -> $ext_if
rdr on $ext_if proto tcp from any to 159.148.155.14 port 8080 ->
172.22.1.2 port www
antispoof log quick for $ext_if inet
antispoof log quick for $int_if inet
block in log quick on $ext_if inet from any to ! ($ext_if)
pass quick on lo0 all
pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags
S/SA synproxy state
-----------------------------------------------------------------------
The problem is when I make conection from jail or internal network, any
conection http, ping, etc first package goes trought and got reply,
second no...
like:
# traceroute www.ass.lv
traceroute to www.ass.lv (195.13.160.54), 64 hops max, 40 byte packets
1 my_router (my_router) 0.166 ms 0.143 ms 0.130 ms
2 * next_router (next_router) 1.274 ms *
3 titan-v12-gw.latnet.lv (159.148.13.150) 1.970 ms * 1.992 ms
4 * 80.232.230.89 (80.232.230.89) 2.205 ms *
From my_router all working ok:
1 next_router (next_router) 1.331 ms 0.962 ms 1.037 ms
2 titan-v12-gw.latnet.lv (159.148.13.150) 1.287 ms 0.757 ms 1.660 ms
3 80.232.230.89 (80.232.230.89) 1.218 ms 2.233 ms 1.352 ms
So only nat`ed packages every second get lost... with tcpdump and pf
loging all shows that nothing is blocking them...
Any idea what is going on or how to test where is problem?
tnx,
K.
More information about the freebsd-questions
mailing list