Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 9 Apr 2016 10:12:45 +0100
From:      Dr Josef Karthauser <joe@truespeed.com>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        FreeBSD Stable <stable@freebsd.org>, freebsd-net@freebsd.org
Subject:   IPFW with NAT (breakage with vlanhwtag enabled) Re: IPFW with NAT : Problems with duplicate packets on FreeBSD 10.3-RC3
Message-ID:  <14A44F99-A0A5-4554-B814-C644FBCA5480@truespeed.com>
In-Reply-To: <F5A94B5B-9261-48F3-AD5E-C123EA48324D@truespeed.com>
References:  <A03E136A-7599-4992-9F9E-13E7350F972B@truespeed.com> <20160408154100.E39547@sola.nimnet.asn.au> <F5A94B5B-9261-48F3-AD5E-C123EA48324D@truespeed.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On 8 Apr 2016, at 10:03, Dr Josef Karthauser <joe@truespeed.com> =
wrote:
>=20
>> On 8 Apr 2016, at 06:51, Ian Smith <smithi@nimnet.asn.au =
<mailto:smithi@nimnet.asn.au>> wrote:
>>=20
>> On Thu, 7 Apr 2016 17:08:38 +0100, Dr Josef Karthauser wrote:
>>=20
>>> Looks like the first packet is being retransmitted, which means that=20=

>>> the nat is probably misconfigured and the TCP connection is broken =
in
>>> some strange way.
>>=20
>>> Does anyone have a clue as to where to look? The ipfw rules are
>>> simple enough - what have I missed?
>>=20
>> Do you have TSO enabled on that NIC?  If so, see ipfw(8) BUGS, third=20=

>> last para.  If not, no idea ..

So, disabling TSO did partially fix the problem; at least the =
=E2=80=9Cduplicate data=E2=80=9D issue.

However, I=E2=80=99ve now added an https service in the jails (an =
haproxy), and that fails a TLS handshake from some hosts.

Bizarrely that problem goes away when I disable hw vlan tag processing =
(-vlanhwtag); that seems weird, and perhaps another bug.

The configuration of my machine is as follows:

      vlan10 (on igb0) [public address] <=E2=80=94 [ipfw nat] -> igb1 =
[private address in a jail on the host, also bound to a physical =
network]

Is there any obvious reason why hardware vlan tagging should get in the =
way of a NAT session? I can=E2=80=99t think why that would be, but =
disabling it definitely fixes the problem.

Joe

=E2=80=94=20
Dr Josef Karthauser
Chief Technical Officer
(01225) 300371 / (07703) 596893
www.truespeed.com <http://www.truespeed.com/>;
  / theTRUESPEED <http://www.facebook.com/theTRUESPEED>; =20
  @theTRUESPEED <https://twitter.com/thetruespeed>;
=20

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14A44F99-A0A5-4554-B814-C644FBCA5480>