Large scale NAT with PF - some weird problem
Ian FREISLICH
ian.freislich at capeaugusta.com
Tue Jun 23 07:50:09 UTC 2015
Milan Obuch wrote:
> As a first step, I did small upgrade, so now I run FreeBSD 9.3-STABLE
> #0 r284695: Mon Jun 22 08:55:29 CEST 2015.
>
> I still see the issue, but I found simpler workaround when bad state
> ocurs - using
>
> pfctl -k <ip.of.affected.client>
> pfctl -K <ip.of.affected.client>
>
> in this order seems to remedy the issue for this one affected client
> without affecting other clients. This still does not solve the problem,
> just eases the reaction.
How is your NAT rule defined? I had a closer look at the way I did it:
nat on vlan46 from 10.8.0.0/15 to !<on-our-net> -> xx.xx.xx.xx/24 round-robin sticky-address
I think you may be missing the "round-robin" that spreads the mapping
over your pool. The manual says that when more than 1 address is
specified, round-robin is the only pool type allowed, it does not
say that when more than 1 address is specified this is the default
pool option.
You can check your state table to see if it is indeed round-robin.
#pfctl -s sta |grep " ("
...
all tcp a.b.c.d:53802 (10.0.0.220:42808) -> 41.246.55.66:24 ESTABLISHED:ESTABLISHED
all tcp a.b.c.e:60794 (10.0.0.38:47825) -> 216.58.223.10:443 ESTABLISHED:FIN_WAIT_2
If all your addresses "a.b.c.X" are the same, it's not round-robin
and that's your problem.
Ian
--
Ian Freislich
More information about the freebsd-pf
mailing list