Hello, this is FreeBSD 5.4, ipf 3.4.35. I am using ipnat rdr for transparent proxying. The rule is like that: rdr em2 0.0.0.0 port 80 -> 127.0.0.1 8000 tcp
When a client initiates connection from behind the em2 interface, the rule triggers and an active mapping is created. Unfortunately, on the way to the client is a link with smaller MTU. When my proxy sends a full-sized frame (1460 bytes of TCP data), it never reaches the client as PMTUD is on (and DF bit set). A router on the way sends back an ICMP fragmentation needed, but the destination adress is the one of the server, not of my proxy. It seems to me that ipnat does not handle those packets. (If it did, it would have to change the destination of the ICMP packet to 127.0.0.1 AND to change the source address/port inside the ICMP packet to 127.0.0.1:8000 in order for the local proxy kernel to process the packet correctly). I can see several retransmissions of the large packet and the connection eventually gets closed. Can someone please confirm that ipnat does not handle those packets, or am I doing anything wrong? Thanks in advance, -- Josef
