some sites can not browsering behind nat

k simon chio1990 at gmail.com
Tue May 6 21:19:48 PDT 2014


Hi,List,

  I had just workarounded it by set
"scrub in on $REQ_IF max-mss 1360
scrub out on $RESPOND_IF max-mss 1360"
 in pf.conf. Though the sites now can browsering, tcpdump showed a lot
of "tcp retransmission" and "dup ack". I am puzzled of the different
behavious from dfly to freebsd and linux. PAWS? aggregate_acks ?? Does
exist some doc explains the difference about tcp  implementiones or
sysctl mibs about tcp?



Regards
Simon






于 14-5-5 18:11, k simon 写道:
> 
> Hi,List,
>    Last day I migrate one haproxy box from FreeBSD to DflyBSD, then some
> client reported can not browsering some site. After some investigation,
> I found these client is benhind some NAT box or benhind firewall, the
> other client without nat have no issue.
>    Then I modify the pf.conf with "scrub out on $RESPOND_IF max-mss
> 1400", and I tried set the mssdflt or enable PMTU, but it has nothing
> helped. With tcpudmped it shows
> 
> 02:04:37.736802 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [S.],
> seq 1060181879, ack 1461664647, win 32768, options [mss 1400], length 0
> 02:04:38.108258 IP 116.211.123.216.80 > 192.168.108.16.38589: Flags
> [S.], seq 173104871, ack 3175683181, win 32768, options [mss 1400], length 0
> 02:04:38.145912 IP 123.58.176.224.80 > 192.168.108.16.55675: Flags [S.],
> seq 3825658113, ack 2801603669, win 32768, options [mss 1400], length 0
> 02:04:38.145942 IP 220.181.8.27.80 > 192.168.108.16.59883: Flags [S.],
> seq 918876111, ack 1103954263, win 32768, options [mss 1400], length 0
> 02:04:38.146083 IP 116.211.118.34.80 > 192.168.108.16.58487: Flags [S.],
> seq 3760967127, ack 2050207109, win 32768, options [mss 1400], length 0
> 02:04:38.146084 IP 116.211.123.225.80 > 192.168.108.16.38705: Flags
> [S.], seq 486747537, ack 3978733903, win 32768, options [mss 1400], length 0
> 02:04:38.146182 IP 116.211.123.225.80 > 192.168.108.16.38706: Flags
> [S.], seq 3914276862, ack 930057259, win 32768, options [mss 1400], length 0
> 02:04:38.146332 IP 61.183.42.150.80 > 192.168.108.16.52172: Flags [S.],
> seq 752539209, ack 2217414361, win 32768, options [mss 1400], length 0
> 02:04:38.146612 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
> ack 664, win 32917, length 0
> 02:04:38.154915 IP 221.235.187.76.80 > 192.168.108.16.52441: Flags [S.],
> seq 4210760199, ack 2227559102, win 32768, options [mss 1400], length 0
> 02:04:38.182455 IP 117.21.179.38.80 > 192.168.108.16.34394: Flags [S.],
> seq 375928677, ack 966252891, win 32768, options [mss 1400], length 0
> 02:04:38.209605 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
> seq 1:1461, ack 664, win 33580, length 1460
> 02:04:38.209610 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [P.],
> seq 1461:1728, ack 664, win 33580, length 267
> 02:04:38.209918 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
> seq 1728:3188, ack 664, win 33580, length 1460
> 02:04:38.210901 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
> seq 3188:4648, ack 664, win 33580, length 1460
> 02:04:38.210911 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags
> [FP.], seq 4648:5799, ack 664, win 33580, length 1151
> 02:04:38.212422 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
> ack 665, win 33580, length 0
> 02:04:38.226759 IP 116.211.123.225.80 > 192.168.108.16.38693: Flags [.],
> ack 671, win 33248, length 0
> 02:04:38.228104 IP 116.211.123.225.80 > 192.168.108.16.38693: Flags [.],
> seq 12030:13490, ack 671, win 33580, length 1460
> 02:04:38.228109 IP 116.211.123.225.80 > 192.168.108.16.38693: Flags [.],
> seq 13490:14950, ack 671, win 33580, length 1460
> 02:04:38.228114 IP 116.211.123.225.80 > 192.168.108.16.38693: Flags
> [P.], seq 14950:16182, ack 671, win 33580, length 1232
> 02:04:38.229573 IP 116.211.123.225.80 > 192.168.108.16.38694: Flags [.],
> ack 1006, win 33249, length 0
> 02:04:38.229592 IP 116.211.123.225.80 > 192.168.108.16.38675: Flags [.],
> ack 1368, win 33255, length 0
> 02:04:38.230891 IP 116.211.123.225.80 > 192.168.108.16.38675: Flags [.],
> seq 16798:18258, ack 1368, win 33580, length 1460
> 02:04:38.230896 IP 116.211.123.225.80 > 192.168.108.16.38675: Flags
> [P.], seq 18258:18783, ack 1368, win 33580, length 525
> 02:04:38.238474 IP 221.235.187.76.80 > 192.168.108.16.52400: Flags [.],
> ack 2021, win 33255, length 0
> 02:04:38.239942 IP 119.97.146.47.80 > 192.168.108.16.44877: Flags [.],
> ack 3069, win 33245, length 0
> 02:04:38.240068 IP 221.235.187.76.80 > 192.168.108.16.52400: Flags [.],
> seq 40066:41526, ack 2021, win 33580, length 1460
> 02:04:38.240070 IP 221.235.187.76.80 > 192.168.108.16.52400: Flags [.],
> seq 41526:42986, ack 2021, win 33580, length 1460
> 02:04:38.240073 IP 221.235.187.76.80 > 192.168.108.16.52400: Flags [P.],
> seq 42986:43548, ack 2021, win 33580, length 562
> 02:04:38.240984 IP 119.97.146.47.80 > 192.168.108.16.44877: Flags [.],
> seq 65226:66686, ack 3069, win 33580, length 1460
> 02:04:38.240989 IP 119.97.146.47.80 > 192.168.108.16.44877: Flags [P.],
> seq 66686:67498, ack 3069, win 33580, length 812
> 02:04:38.241401 IP 221.235.187.76.80 > 192.168.108.16.52412: Flags [.],
> ack 4028, win 33250, length 0
> 
>    How can I go deep into the issue and resolve it?
> 
> P.S.
> I tried set "bind mss" parameters in the haproxy configration, but it
> reported does not support on dfly.
> 
> 
> 
> Regards
> Simon
> 



More information about the Users mailing list