pf & NAT issue
Alan Somers
asomers at freebsd.org
Fri Jan 20 15:47:45 UTC 2017
On Fri, Jan 20, 2017 at 3:48 AM, Kristof Provost <kp at freebsd.org> wrote:
> On 20 Jan 2017, at 9:35, Bakul Shah wrote:
>>
>> pf seems to drop NAT connections quite a bit. This seems to
>> happen much more frequently if there are delays involved (slow
>> server or interactive use). Almost seems like pf losing
>> track of NATted connections due to an uninitialized
>> variable.... Often a retry or two works. Connecting from
>> outside to forwarded connections to NATTED hosts works fine.
>>
>> This problem started after ungrading to freebsd-10. Is there a
>> bug fix in works or a known work around (other than using ipfw
>> or reverting to 9, which I don't want to do)?
>>
> The problem you describe doesn’t immediately ring a bell.
>
> We’ll have to gather a bit more information:
>
> * What FreeBSD version are you running exactly?
> * What’s your pf.conf?
> * Can you perform a network capture of rejected/failed connections? Ideally
> both on LAN and WAN on the gateway machine. Please capture full packets
> (so
> tcpdump -s0 -w lan.pcap) as pcap files).
> * What networking cards are you using?
>
> Regards,
> Kristof
Under heavy load, pf can drop information from its state table. You
can try increasing state table limits to see if it helps the problem.
Read the "set limits" section of the pf man page.
-Alan
More information about the freebsd-net
mailing list