FreeBSD 5.4 router with pf nat, bug?

Casper kl at
Thu Sep 1 20:59:20 GMT 2005


  I have 5.4-RELEASE-p6 test router and I wanted to do all routing/fw 
with pf, to learn more pf...
I have added to kernel options:
device pf
device pflog
device pfsync
options ALTQ

Setuped jails with 172.22.x.x addreses and local network I have 
192.168.x.x addreses...

ifconfig rl0 is real ip and jails aliases... rl1 is internal network...

/etc/pf.conf now looks like:

set state-policy if-bound
set loginterface $ext_if

scrub reassemble tcp fragment reassemble

nat on $ext_if from to any -> ($ext_if)
nat on $ext_if from to any -> $ext_if

rdr on $ext_if proto tcp from any to port 8080 -> port www

antispoof log quick for $ext_if inet
antispoof log quick for $int_if inet

block in log quick on $ext_if inet from any to ! ($ext_if)
pass quick on lo0 all

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags 
S/SA synproxy state
The problem is when I make conection from jail or internal network, any 
conection http, ping, etc first package goes trought and got reply, 
second no...
# traceroute
traceroute to (, 64 hops max, 40 byte packets
  1  my_router (my_router)  0.166 ms  0.143 ms  0.130 ms
  2  * next_router (next_router)  1.274 ms *
  3 (  1.970 ms *  1.992 ms
  4  * (  2.205 ms *

 From my_router all working ok:
1  next_router (next_router)  1.331 ms  0.962 ms  1.037 ms
2 (  1.287 ms  0.757 ms  1.660 ms
3 (  1.218 ms  2.233 ms  1.352 ms

  So only nat`ed packages every second get lost... with tcpdump and pf 
loging all shows that nothing is blocking them...
Any idea what is going on, or how to test where is problem?



More information about the freebsd-pf mailing list