From owner-freebsd-net@freebsd.org Sat Apr 9 09:13:02 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 125A3B08988 for ; Sat, 9 Apr 2016 09:13:02 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from mail.karthauser.co.uk (babel.karthauser.co.uk [212.13.197.151]) by mx1.freebsd.org (Postfix) with ESMTP id C12E51E69 for ; Sat, 9 Apr 2016 09:13:00 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from dspam (babel.karthauser.co.uk [212.13.197.151]) by mail.karthauser.co.uk (Postfix) with SMTP id C919F9EC for ; Sat, 9 Apr 2016 09:12:52 +0000 (UTC) Received: from unnamed-72.karthauser.co.uk (unnamed-72.karthauser.co.uk [90.155.77.72]) (Authenticated sender: joemail@tao.org.uk) by mail.karthauser.co.uk (Postfix) with ESMTPSA id AF73A9EA; Sat, 9 Apr 2016 09:12:47 +0000 (UTC) Subject: IPFW with NAT (breakage with vlanhwtag enabled) Re: IPFW with NAT : Problems with duplicate packets on FreeBSD 10.3-RC3 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: Dr Josef Karthauser In-Reply-To: Date: Sat, 9 Apr 2016 10:12:45 +0100 Cc: FreeBSD Stable , freebsd-net@freebsd.org Message-Id: <14A44F99-A0A5-4554-B814-C644FBCA5480@truespeed.com> References: <20160408154100.E39547@sola.nimnet.asn.au> To: Ian Smith X-Mailer: Apple Mail (2.2104) X-DSPAM-Result: Innocent X-DSPAM-Processed: Sat Apr 9 09:12:52 2016 X-DSPAM-Confidence: 0.9899 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 5708c79431271965361116 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Apr 2016 09:13:02 -0000 > On 8 Apr 2016, at 10:03, Dr Josef Karthauser = wrote: >=20 >> On 8 Apr 2016, at 06:51, Ian Smith > wrote: >>=20 >> On Thu, 7 Apr 2016 17:08:38 +0100, Dr Josef Karthauser wrote: >>=20 >>> Looks like the first packet is being retransmitted, which means that=20= >>> the nat is probably misconfigured and the TCP connection is broken = in >>> some strange way. >>=20 >>> Does anyone have a clue as to where to look? The ipfw rules are >>> simple enough - what have I missed? >>=20 >> Do you have TSO enabled on that NIC? If so, see ipfw(8) BUGS, third=20= >> last para. If not, no idea .. So, disabling TSO did partially fix the problem; at least the = =E2=80=9Cduplicate data=E2=80=9D issue. However, I=E2=80=99ve now added an https service in the jails (an = haproxy), and that fails a TLS handshake from some hosts. Bizarrely that problem goes away when I disable hw vlan tag processing = (-vlanhwtag); that seems weird, and perhaps another bug. The configuration of my machine is as follows: vlan10 (on igb0) [public address] <=E2=80=94 [ipfw nat] -> igb1 = [private address in a jail on the host, also bound to a physical = network] Is there any obvious reason why hardware vlan tagging should get in the = way of a NAT session? I can=E2=80=99t think why that would be, but = disabling it definitely fixes the problem. Joe =E2=80=94=20 Dr Josef Karthauser Chief Technical Officer (01225) 300371 / (07703) 596893 www.truespeed.com / theTRUESPEED =20 @theTRUESPEED =20