> On 8 Apr 2016, at 10:03, Dr Josef Karthauser <j...@truespeed.com> wrote:
>
>> On 8 Apr 2016, at 06:51, Ian Smith <smi...@nimnet.asn.au
>> <mailto:smi...@nimnet.asn.au>> wrote:
>>
>> On Thu, 7 Apr 2016 17:08:38 +0100, Dr Josef Karthauser wrote:
>>
>>> Looks like the first packet is being retransmitted, which means that
>>> the nat is probably misconfigured and the TCP connection is broken in
>>> some strange way.
>>
>>> Does anyone have a clue as to where to look? The ipfw rules are
>>> simple enough - what have I missed?
>>
>> Do you have TSO enabled on that NIC? If so, see ipfw(8) BUGS, third
>> last para. If not, no idea ..
So, disabling TSO did partially fix the problem; at least the “duplicate data”
issue.
However, I’ve now added an https service in the jails (an haproxy), and that
fails a TLS handshake from some hosts.
Bizarrely that problem goes away when I disable hw vlan tag processing
(-vlanhwtag); that seems weird, and perhaps another bug.
The configuration of my machine is as follows:
vlan10 (on igb0) [public address] <— [ipfw nat] -> igb1 [private address
in a jail on the host, also bound to a physical network]
Is there any obvious reason why hardware vlan tagging should get in the way of
a NAT session? I can’t think why that would be, but disabling it definitely
fixes the problem.
Joe
—
Dr Josef Karthauser
Chief Technical Officer
(01225) 300371 / (07703) 596893
www.truespeed.com <http://www.truespeed.com/>
/ theTRUESPEED <http://www.facebook.com/theTRUESPEED>
@theTRUESPEED <https://twitter.com/thetruespeed>
_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
