Windows 2008 + AD + PF + bridge = problems?

Fri Jul 31 18:36:28 UTC 2009

Has anyone used Windows 2008 and active directory with a bridging, NATing
firewall between the domain controller and the 2008 machine?
We're in a situation where we're trying to join a domain with a 2008
machine, and no matter what we do to the firewall, joining stalls and fails.

DC: Windows Server 2003
Server: Windows Server 2008
Firewall: FreeBSD 6.1 plus PF

We're doing bidirectional NAT on the clients, so the DC has a real address
while the Server has an RFC1918 address.  We are explicitly allowing all
traffic between the server and the DC, with and later without keeping state.
 Windows Server 2003 machines behind the firewall join just fine, and
Windows 2008 Server machines outside of the firewall join just fine.

A packet capture revealed a number of anomalies.  Once the server starts
trying to join the domain, we get all sorts of TCP transmission errors,
retries, duplicate ACKs etc.  In some cases, the public side of the firewall
will send an ICMP host-unreachable message for a host which is clearly being

I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to
help.  net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate,

Does anyone have any thoughts and/or advice on where I can go from here?

