Re: Windows 2008 + AD + PF + bridge = problems?
On Friday 31 July 2009 10:15:56 markham roan wrote: A packet capture revealed a number of anomalies. Once the server starts trying to join the domain, we get all sorts of TCP transmission errors, retries, duplicate ACKs etc. In some cases, the public side of the firewall will send an ICMP host-unreachable message for a host which is clearly being BINAT. I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate, anyway. Does anyone have any thoughts and/or advice on where I can go from here? No experience with the case at hand, but I do see that Vista started to use IGMP protocol even when there's no obvious need to do so. Given that allow all does in fact only allow a handful of IP protocols, excluding IGMP, you may want to investigate if you're not silently blocking (or not translating) one of the more obscure IP protocols. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
On Mon, Aug 3, 2009 at 5:15 PM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.netmel.flynn%2bfbsd.questi...@mailing.thruhere.net wrote: On Friday 31 July 2009 10:15:56 markham roan wrote: A packet capture revealed a number of anomalies. Once the server starts trying to join the domain, we get all sorts of TCP transmission errors, retries, duplicate ACKs etc. In some cases, the public side of the firewall will send an ICMP host-unreachable message for a host which is clearly being BINAT. I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate, anyway. Does anyone have any thoughts and/or advice on where I can go from here? No experience with the case at hand, but I do see that Vista started to use IGMP protocol even when there's no obvious need to do so. Given that allow all does in fact only allow a handful of IP protocols, excluding IGMP, you may want to investigate if you're not silently blocking (or not translating) one of the more obscure IP protocols. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org This might be way off base but I had a server that had issues like that and it ended up being the network cable going bad. It would send an ack but if you captured the ack and other packets at the destination server it would be missing bits. I have personally not had an issue with a pf firewall and server 2008 joining a 2003 domain but network card or cable could cause an issue like that. What does tcpdump tell you on the firewall when monitoring PF while it joins, what rule(s) is it using when it joins? -- Who knew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
Another idea could be giving 7.x a shot as it has newer version of PF IIRC. That's on the list of things to try, but upgrading will probably be painful, so I'm hoping to find something else first. Something else you might want to try is to find/install the new PF from source, if you don't want to try a general upgrade. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Windows 2008 + AD + PF + bridge = problems?
Has anyone used Windows 2008 and active directory with a bridging, NATing firewall between the domain controller and the 2008 machine? We're in a situation where we're trying to join a domain with a 2008 machine, and no matter what we do to the firewall, joining stalls and fails. DC: Windows Server 2003 Server: Windows Server 2008 Firewall: FreeBSD 6.1 plus PF We're doing bidirectional NAT on the clients, so the DC has a real address while the Server has an RFC1918 address. We are explicitly allowing all traffic between the server and the DC, with and later without keeping state. Windows Server 2003 machines behind the firewall join just fine, and Windows 2008 Server machines outside of the firewall join just fine. A packet capture revealed a number of anomalies. Once the server starts trying to join the domain, we get all sorts of TCP transmission errors, retries, duplicate ACKs etc. In some cases, the public side of the firewall will send an ICMP host-unreachable message for a host which is clearly being BINAT. I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate, anyway. Does anyone have any thoughts and/or advice on where I can go from here? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
Has anyone used Windows 2008 and active directory with a bridging, NATing firewall between the domain controller and the 2008 machine? We're in a situation where we're trying to join a domain with a 2008 machine, and no matter what we do to the firewall, joining stalls and fails. Haven't used the combination myself, but in couple of cases MS developer/beta evaluation staff has been quite helpful when Vista beta got all kind of funnies when trying to connect to internet via PF. So giving MS the information of the problems in traffic might (in case you want to help MS to troubleshoot Win2008...) help some. Another idea could be giving 7.x a shot as it has newer version of PF IIRC. -Reko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
On Fri, Jul 31, 2009 at 2:11 PM, Reko Turja reko.tu...@liukuma.net wrote: Has anyone used Windows 2008 and active directory with a bridging, NATing firewall between the domain controller and the 2008 machine? We're in a situation where we're trying to join a domain with a 2008 machine, and no matter what we do to the firewall, joining stalls and fails. Haven't used the combination myself, but in couple of cases MS developer/beta evaluation staff has been quite helpful when Vista beta got all kind of funnies when trying to connect to internet via PF. So giving MS the information of the problems in traffic might (in case you want to help MS to troubleshoot Win2008...) help some. Do you happen to have contact information for this team? Another idea could be giving 7.x a shot as it has newer version of PF IIRC. That's on the list of things to try, but upgrading will probably be painful, so I'm hoping to find something else first. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
Do you happen to have contact information for this team? Sadly no, I just reported the perceived bug via Vista beta bug reporting - can't remember if that was from the OS itself or from the web, and got pretty fast reply and tech savvy responder from there. -Reko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
