Date: Wed, 13 Jun 2018 10:22:56 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets Message-ID: <CAHu1Y71StwG1F1b41vpvBcFzxBZD0_Krm0G1VAGQj-mn%2B7DqWg@mail.gmail.com> In-Reply-To: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com> References: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 13, 2018 at 10:16 AM, Jeff Kletsky <freebsd@wagsky.com> wrote: When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel > to the T-Mobile provisioning servers, the reassembled, 4640-byte return > packet is silently dropped by the in-kernel NAT, even though it "matches" > the outbound packet from less than 100 ms prior. Do you have a 'reass' rule before applying nat on inbound traffic? - M --=20 "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71StwG1F1b41vpvBcFzxBZD0_Krm0G1VAGQj-mn%2B7DqWg>