FreeBSD 5.4 router with pf nat, bug?

Casper kl at
Thu Sep 1 20:59:20 GMT 2005


  I have 5.4-RELEASE-p6 test router and I wanted to do all routing/fw 
with pf, to learn more pf...
I have added to kernel options:
device pf
device pflog
device pfsync
options ALTQ

Setuped jails with 172.22.x.x addreses and local network I have 
192.168.x.x addreses...

ifconfig rl0 is real ip and jails aliases... rl1 is internal network...

/etc/pf.conf now looks like:

set state-policy if-bound
set loginterface $ext_if

scrub reassemble tcp fragment reassemble

nat on $ext_if from to any -> ($ext_if)
nat on $ext_if from to any -> $ext_if

rdr on $ext_if proto tcp from any to port 8080 -> port www

antispoof log quick for $ext_if inet
antispoof log quick for $int_if inet

block in log quick on $ext_if inet from any to ! ($ext_if)
pass quick on lo0 all

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags 
S/SA synproxy state
The problem is when I make conection from jail or internal network, any 
conection http, ping, etc first package goes trought and got reply, 
second no...
# traceroute
traceroute to (, 64 hops max, 40 byte packets
  1  my_router (my_router)  0.166 ms  0.143 ms  0.130 ms
  2  * next_router (next_router)  1.274 ms *
  3 (  1.970 ms *  1.992 ms
  4  * (  2.205 ms *

 From my_router all working ok:
1  next_router (next_router)  1.331 ms  0.962 ms  1.037 ms
2 (  1.287 ms  0.757 ms  1.660 ms
3 (  1.218 ms  2.233 ms  1.352 ms

  So only nat`ed packages every second get lost... with tcpdump and pf 
loging all shows that nothing is blocking them...
Any idea what is going on, or how to test where is problem?



