some sites can not browsering behind nat

k simon chio1990 at gmail.com
Mon May 5 03:11:24 PDT 2014


Hi,List,
  Last day I migrate one haproxy box from FreeBSD to DflyBSD, then some
client reported can not browsering some site. After some investigation,
I found these client is benhind some NAT box or benhind firewall, the
other client without nat have no issue.
  Then I modify the pf.conf with "scrub out on $RESPOND_IF max-mss
1400", and I tried set the mssdflt or enable PMTU, but it has nothing
helped. With tcpudmped it shows

02:04:37.736802 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [S.],
seq 1060181879, ack 1461664647, win 32768, options [mss 1400], length 0
02:04:38.108258 IP 116.211.123.216.80 > 192.168.108.16.38589: Flags
[S.], seq 173104871, ack 3175683181, win 32768, options [mss 1400], length 0
02:04:38.145912 IP 123.58.176.224.80 > 192.168.108.16.55675: Flags [S.],
seq 3825658113, ack 2801603669, win 32768, options [mss 1400], length 0
02:04:38.145942 IP 220.181.8.27.80 > 192.168.108.16.59883: Flags [S.],
seq 918876111, ack 1103954263, win 32768, options [mss 1400], length 0
02:04:38.146083 IP 116.211.118.34.80 > 192.168.108.16.58487: Flags [S.],
seq 3760967127, ack 2050207109, win 32768, options [mss 1400], length 0
02:04:38.146084 IP 116.211.123.225.80 > 192.168.108.16.38705: Flags
[S.], seq 486747537, ack 3978733903, win 32768, options [mss 1400], length 0
02:04:38.146182 IP 116.211.123.225.80 > 192.168.108.16.38706: Flags
[S.], seq 3914276862, ack 930057259, win 32768, options [mss 1400], length 0
02:04:38.146332 IP 61.183.42.150.80 > 192.168.108.16.52172: Flags [S.],
seq 752539209, ack 2217414361, win 32768, options [mss 1400], length 0
02:04:38.146612 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
ack 664, win 32917, length 0
02:04:38.154915 IP 221.235.187.76.80 > 192.168.108.16.52441: Flags [S.],
seq 4210760199, ack 2227559102, win 32768, options [mss 1400], length 0
02:04:38.182455 IP 117.21.179.38.80 > 192.168.108.16.34394: Flags [S.],
seq 375928677, ack 966252891, win 32768, options [mss 1400], length 0
02:04:38.209605 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
seq 1:1461, ack 664, win 33580, length 1460
02:04:38.209610 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [P.],
seq 1461:1728, ack 664, win 33580, length 267
02:04:38.209918 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
seq 1728:3188, ack 664, win 33580, length 1460
02:04:38.210901 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
seq 3188:4648, ack 664, win 33580, length 1460
02:04:38.210911 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags
[FP.], seq 4648:5799, ack 664, win 33580, length 1151
02:04:38.212422 IP 221.235.187.76.80 > 192.168.108.16.52433: Flags [.],
ack 665, win 33580, length 0
02:04:38.226759 IP 116.211.123.225.80 > 192.168.108.16.38693: Flags [.],
ack 671, win 33248, length 0
02:04:38.228104 IP 116.211.123.225.80 > 192.168.108.16.38693: Flags [.],
seq 12030:13490, ack 671, win 33580, length 1460
02:04:38.228109 IP 116.211.123.225.80 > 192.168.108.16.38693: Flags [.],
seq 13490:14950, ack 671, win 33580, length 1460
02:04:38.228114 IP 116.211.123.225.80 > 192.168.108.16.38693: Flags
[P.], seq 14950:16182, ack 671, win 33580, length 1232
02:04:38.229573 IP 116.211.123.225.80 > 192.168.108.16.38694: Flags [.],
ack 1006, win 33249, length 0
02:04:38.229592 IP 116.211.123.225.80 > 192.168.108.16.38675: Flags [.],
ack 1368, win 33255, length 0
02:04:38.230891 IP 116.211.123.225.80 > 192.168.108.16.38675: Flags [.],
seq 16798:18258, ack 1368, win 33580, length 1460
02:04:38.230896 IP 116.211.123.225.80 > 192.168.108.16.38675: Flags
[P.], seq 18258:18783, ack 1368, win 33580, length 525
02:04:38.238474 IP 221.235.187.76.80 > 192.168.108.16.52400: Flags [.],
ack 2021, win 33255, length 0
02:04:38.239942 IP 119.97.146.47.80 > 192.168.108.16.44877: Flags [.],
ack 3069, win 33245, length 0
02:04:38.240068 IP 221.235.187.76.80 > 192.168.108.16.52400: Flags [.],
seq 40066:41526, ack 2021, win 33580, length 1460
02:04:38.240070 IP 221.235.187.76.80 > 192.168.108.16.52400: Flags [.],
seq 41526:42986, ack 2021, win 33580, length 1460
02:04:38.240073 IP 221.235.187.76.80 > 192.168.108.16.52400: Flags [P.],
seq 42986:43548, ack 2021, win 33580, length 562
02:04:38.240984 IP 119.97.146.47.80 > 192.168.108.16.44877: Flags [.],
seq 65226:66686, ack 3069, win 33580, length 1460
02:04:38.240989 IP 119.97.146.47.80 > 192.168.108.16.44877: Flags [P.],
seq 66686:67498, ack 3069, win 33580, length 812
02:04:38.241401 IP 221.235.187.76.80 > 192.168.108.16.52412: Flags [.],
ack 4028, win 33250, length 0

  How can I go deep into the issue and resolve it?

P.S.
I tried set "bind mss" parameters in the haproxy configration, but it
reported does not support on dfly.



Regards
Simon



More information about the Users mailing list