From owner-freebsd-pf@FreeBSD.ORG  Tue May 20 21:09:24 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C3B54106566B
	for <freebsd-pf@freebsd.org>; Tue, 20 May 2008 21:09:24 +0000 (UTC)
	(envelope-from reinhard.haller@interactive-net.de)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.171])
	by mx1.freebsd.org (Postfix) with ESMTP id 646228FC1D
	for <freebsd-pf@freebsd.org>; Tue, 20 May 2008 21:09:24 +0000 (UTC)
	(envelope-from reinhard.haller@interactive-net.de)
Received: from interactive.dnsalias.net
	(ppp-88-217-9-179.dynamic.mnet-online.de [88.217.9.179])
	by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis)
	id 0ML29c-1JyYt543Uv-0004dG; Tue, 20 May 2008 22:56:48 +0200
Received: from fs-inter.interactive.de ([192.168.0.1])
	by interactive.dnsalias.net with smtp (Exim 4.69 (FreeBSD))
	(envelope-from <reinhard.haller@interactive-net.de>)
	id 1JyYt3-000IRr-LP
	for freebsd-pf@freebsd.org; Tue, 20 May 2008 22:56:45 +0200
Received: from [192.168.0.196] (core2duo.interactive.de [192.168.0.196])
	by fs-inter.interactive.de; Tue, 20 May 2008 22:59:12 +0200
Message-ID: <48333B05.9090203@interactive-net.de>
Date: Tue, 20 May 2008 22:56:37 +0200
From: Reinhard Haller <reinhard.haller@interactive-net.de>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
X-ACL-rcpt: freebsd-pf@freebsd.org
X-ACL-Send: reinhard.haller@interactive-net.de
X-Provags-ID: V01U2FsdGVkX19XqEXIcqnIJR1YCszPfhzBsWpTPXTq5QB3E/j
	TJqXOrhK1xaViqW2btfiZB8eEKxPNxxYjHTSZhR1HxodtNgtL3
	TBDgBHL1yFwoOxiszTEEkWbbm4tU5rI6M30BzqirxBBjDAWvFs yNw==
Subject: NAT problem with pppoe
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2008 21:09:24 -0000

Hi,

I suspect pf is caching invalid outdated dynamic addresses. After this 
happens, all requests
sent from internal hosts are sent with the previous dynamic address as 
source address and
are ignored by our provider. Requests sent directly from our pf-box use 
the new dynamic
address as expected.

/etc/pf.conf

ext_if="tun0"
external_net="!192.168.0.0/16"

nat on $ext_if from !($ext_if) -> ($ext_if)

anchor portupgrade out on $ext_if
pass out on $ext_if from ($ext_if) to $external_net tagged FORWARD
pass quick proto { tcp, udp } from $dns_server to <dnsServer> port 
domain tag FORWARD

the anchor portupgrade is filled with the ppp-linkup script (DNS0/1)

pass quick inet proto udp from (tun0) to 212.18.3.5 port = domain keep 
state

Sending HUP to ppp does'nt eliminate the problem, pfctl -d/-e and a 
restart of the
internal server solve it.

The pf-box uses freebsd 7.0 stable, usermode-ppp is used to connect with 
the provider.

Any suggestions?

Thanks
Reinhard