Problems with FreeBSD (amd64 stable/11) router

Ryan Stone rysto32 at gmail.com
Tue Dec 6 14:34:59 UTC 2016 

Let me confirm I understand what's happening:

1) You want to use your router to vlan-tag traffic from your network, and
then send it out of a lagg over bce interfaces.  The bxe interfaces have
their MTU set to 1500 and the vlan interface to 1496
2) The TiVo is sending packets with a payload size of 1500 and the DF bit
set.

If this is the case, then the problem is simply that when the packets are
passed through the vlan interface, the payload of the packets exceeds the
MTU, but as the DF bit is set, the packets cannot be fragmented.  Your
choices are either to use a 1500 byte MTU on the vlan interface (assuming
that the network that you are routing to can accept 1518 byte packets), or
only advertise a 1496 byte MTU in your internal network.

On Mon, Dec 5, 2016 at 2:10 PM, Chris Ross <cross+freebsd at distal.com> wrote:

>
> > On Dec 5, 2016, at 11:59, Ryan Stone <rysto32 at gmail.com> wrote:
> >
> > What's the MTU on the bce and vlan interfaces?  Does the bce interface
> show VLAN_MTU option set (in ifconfig)?
>
>   I had manually set these to try to work out the problem earlier in my
> experimentation, but am now back (unless I missed something) to the natural
> MTUs on all interfaces.  The vlan’s all show 1496, and the bee’s (and
> lagg0) show 1500.  The options on each of the bce’s show VLAN_MTU, and a
> few other VLAN_ options.
>
>                             - Chris
>
>
> > On Mon, Dec 5, 2016 at 10:00 AM, Chris Ross <cross+freebsd at distal.com>
> wrote:
> >
> >  Hello all.  I recently replaced my router with a FreeBSD/11 box
> (stable/11 r308579).  I am running a lagg device across two bce’s, and
> 802.1q vlan interfaces atop lagg0.  I’m using pf to NAT/filter out through
> a single outside IP address.
> >
> >  I’m having the following problem.  Some devices appear to be having
> trouble passing traffic.  Of course, I first assumed I was doing something
> wrong with my pf filters, but I believe now that’s not the problem.  One
> client machine (a TiVo Roamio) that produces a failure reliably, so I’ve
> been using it for testing, is showing that during a TCP session, which
> starts up fine, in the middle of a POST operation to an outside server,
> there are 1500 byte packets.  These packets have the DF bit in the IP
> header, and then never show up on the external interface (vlan0).  Smaller
> packets in the same TCP stream do.  But, I’m also not seeing the ICMP from
> the router back to the client telling it that it cannot send the packet.
> >
> >  I have tried all sorts of changes to my pf rules, including now
> allowing all ICMP unconditionally on all interfaces (pass out log quick
> inet proto icmp all).  I have packet traces during the failed communication
> across pflog0, vlan0 (external network) and vlan7 (internal network).  I’d
> be happy to answer any questions, or provide the traces off-list.
> >
> >  Does anyone have any idea what I’ve missed?  Thank you very much for
> your help.
> >
> >                                 - Chris
> >
> > _______________________________________________
> > freebsd-net at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> >
>
>

More information about the freebsd-pf mailing list