Large scale NAT with PF - some weird problem
Milan Obuch
freebsd-pf at dino.sk
Tue Jun 23 05:39:14 UTC 2015
On Sun, 21 Jun 2015 19:57:53 +0200
Milan Obuch <freebsd-pf at dino.sk> wrote:
> On Sun, 21 Jun 2015 08:38:04 -0400
> Ian FREISLICH <ian.freislich at capeaugusta.com> wrote:
>
[ snip ]
> > I also had some other settings regarding interrupt moderation on
> > the NIC, netisr threads, queue depth and dispatch. I disabled
> > entropy harvesting on interrupts, and the network path. Some of
> > these settings are loader.conf settings, some are runtime sysctls.
> >
> > I still think that if it's possible, you should give 10-STABLE a
> > try.
> >
>
> This will take some time to do. Unfortunatelly, I did not think about
> possibilities to test various version when the system was installed.
> My bad. Now it is not easy, but I am trying to find usable way to do
> it.
>
> Regards,
> Milan
>
As a first step, I did small upgrade, so now I run FreeBSD 9.3-STABLE
#0 r284695: Mon Jun 22 08:55:29 CEST 2015.
I still see the issue, but I found simpler workaround when bad state
ocurs - using
pfctl -k <ip.of.affected.client>
pfctl -K <ip.of.affected.client>
in this order seems to remedy the issue for this one affected client
without affecting other clients. This still does not solve the problem,
just eases the reaction.
Also, not sure yet, but it seems when it occurs, if more clients are
natted using the same public IP, all are affected the same way. Using
mentioned workaround for all of them makes them all work again.
Regards,
Milan
More information about the freebsd-pf
mailing list