Date: Wed, 13 Jun 2018 10:32:04 -0700 From: Jeff Kletsky <freebsd@wagsky.com> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets Message-ID: <918b13e0-aef5-add2-6f5c-530bb5850a3a@wagsky.com> In-Reply-To: <CAHu1Y71StwG1F1b41vpvBcFzxBZD0_Krm0G1VAGQj-mn%2B7DqWg@mail.gmail.com> References: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com> <CAHu1Y71StwG1F1b41vpvBcFzxBZD0_Krm0G1VAGQj-mn%2B7DqWg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/13/18 10:22 AM, Michael Sierchio wrote: > On Wed, Jun 13, 2018 at 10:16 AM, Jeff Kletsky <freebsd@wagsky.com> wrote: > > When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel >> to the T-Mobile provisioning servers, the reassembled, 4640-byte return >> packet is silently dropped by the in-kernel NAT, even though it "matches" >> the outbound packet from less than 100 ms prior. > > > Do you have a 'reass' rule before applying nat on inbound traffic? > > - M Yes, at the start of the rule set. Reassembly confirmed to be working by wireshark examination of the ngtee "taps" shown $ sudo ipfw list 00001 deny ip from any to any recv ng* 00004 ngtee 100 ip from any to any proto udp dst-port 500,4500 in 00004 ngtee 100 ip from any to any proto udp frag in 00004 ngtee 110 ip from any to any proto udp dst-port 500,4500 out 00004 ngtee 110 ip from any to any proto udp frag out 00005 reass ip from any to any 00006 ngtee 101 ip from any to any proto udp dst-port 500,4500 in // reassembled in 00006 ngtee 101 ip from any to any proto udp frag in // never should be frags after reass 00006 ngtee 111 ip from any to any proto udp dst-port 500,4500 out // reass out 00006 ngtee 111 ip from any to any proto udp frag out // never should be frage after reass [...]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?918b13e0-aef5-add2-6f5c-530bb5850a3a>