Date: Thu, 25 Aug 2016 00:02:01 +1000 From: Carl Hattingh <carl.hattingh@gmail.com> To: freebsd-net@freebsd.org Subject: Cannot access a couple websites Message-ID: <CAEOGyNubamkqoA%2BeF3hkq6RMKZ0Cbk0LCChwyjGs4D16YXdJkg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi We are experiencing a issue which has me rather stumped. We are using Freebsd 10.3-RELEASE-p7 under Hyper-V 2012 R2 as a firewall (pf), and are unable to browse to www.amazon.com and outlook.office365.com under certain circumstances. The FreeBSD firewall has three interfaces: hn0: public /30 with default route pointing to telco NTU device hn1: public /28 allocated from telco hn2: private /24 NAT is configured on hn0 to nat any outbound traffic to the interface address: nat on hn0 inet from hn2:network to any -> (hn0) In this circumstance, all browsing is fine. However, if we nat outbound traffic to an address in the /28 public range, we are unable to browse to www.amazon.com and outlook.office365.com as two examples. All other sites are fine. Further, if we add another seperate test VM into the /28 public subnet, the same issue occurs. In this situation, no nat is taking place, the firewall is simply routing traffic between the test vm (with a public IP) and the telco link. We are not seeing any traffic being blocked by the pf firewall; we log all dropped packets with "block return log (all)" Packet captures show the connection get up to negotiating the SSL/TLS parameters (server hello, certificate, certificate status) but then various TCP retransmissions and keep alive packets are sent from the webserver IP, and thats where it just sits until the browser times out. We are using a kernel with ALTQ enabled, and the issue occurs both when pf queues are configured and unconfigured. We host a few other services behind this firewall; no issues that we are aware of. Services are natted to addresses in the /28 range. Toggling scrub on/off also makes no difference. The telco is not interested; they claim the traceroutes are fine. (we do see return traffic) I also tried dropping the MTU on the test VM to 1460 with no luck. Has anyone got any ideas on what this could be? We'd be grateful for any assistance.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEOGyNubamkqoA%2BeF3hkq6RMKZ0Cbk0LCChwyjGs4D16YXdJkg>