Date: Wed, 24 Aug 2016 08:27:12 -0700 From: Lee Brown <leeb@ratnaling.org> To: freebsd-net@freebsd.org Subject: Re: Cannot access a couple websites Message-ID: <CAFPNf5-uit3DsYrN%2BLFsegvTYw-orkVqymh1AgTMkmPV3k7B%2Bw@mail.gmail.com> In-Reply-To: <CAEOGyNubamkqoA%2BeF3hkq6RMKZ0Cbk0LCChwyjGs4D16YXdJkg@mail.gmail.com> References: <CAEOGyNubamkqoA%2BeF3hkq6RMKZ0Cbk0LCChwyjGs4D16YXdJkg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Probably not at all related, but I had a similar problem, youtube worked fine, but cnn would get partial page loads, through a box NATing a public IP. The culprit for me was MTU was wrong. I had FreeBSD in a Xen VM, using the FreeBSD xn driver utilizing VLAN's. When I used VLAN's on that driver it changed the MTU (manpage does warn of this) from 1500 to 1496. What I was seeing was ICMP need-to-fragment packets sent from the FreeBSD box, which the Linux router upstream just dropped. The fix for me was to create the VLAN in Xen, so the MTU was correct and access the NIC as a non-vlan NIC within the VM. Traceroute worked, pings worked, PC's OK on some sites, 'droids all failed. On Wed, Aug 24, 2016 at 7:02 AM, Carl Hattingh <carl.hattingh@gmail.com> wrote: > Hi > > We are experiencing a issue which has me rather stumped. We are using > Freebsd 10.3-RELEASE-p7 under Hyper-V 2012 R2 as a firewall (pf), and are > unable to browse to www.amazon.com and outlook.office365.com under certain > circumstances. > > The FreeBSD firewall has three interfaces: > > hn0: public /30 with default route pointing to telco NTU device > hn1: public /28 allocated from telco > hn2: private /24 > > NAT is configured on hn0 to nat any outbound traffic to the interface > address: > > nat on hn0 inet from hn2:network to any -> (hn0) > > In this circumstance, all browsing is fine. > > However, if we nat outbound traffic to an address in the /28 public range, > we are unable to browse to www.amazon.com and outlook.office365.com as two > examples. All other sites are fine. > Further, if we add another seperate test VM into the /28 public subnet, the > same issue occurs. In this situation, no nat is taking place, the firewall > is simply routing traffic between the test vm (with a public IP) and the > telco link. > > We are not seeing any traffic being blocked by the pf firewall; we log all > dropped packets with "block return log (all)" > > Packet captures show the connection get up to negotiating the SSL/TLS > parameters (server hello, certificate, certificate status) but then various > TCP retransmissions and keep alive packets are sent from the webserver IP, > and thats where it just sits until the browser times out. > > We are using a kernel with ALTQ enabled, and the issue occurs both when pf > queues are configured and unconfigured. We host a few other services > behind this firewall; no issues that we are aware of. Services are natted > to addresses in the /28 range. > > Toggling scrub on/off also makes no difference. > > The telco is not interested; they claim the traceroutes are fine. (we do > see return traffic) > > I also tried dropping the MTU on the test VM to 1460 with no luck. > > Has anyone got any ideas on what this could be? We'd be grateful for any > assistance. > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFPNf5-uit3DsYrN%2BLFsegvTYw-orkVqymh1AgTMkmPV3k7B%2Bw>