tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

IPv6 TCP sessions hangs when using PF keep state

Hash: SHA1


I'm using PF as my gateway's packet filter for a while, and I
notice weird behaviours since I upgraded that server to NetBSD 6.0.

That machine has two NIC, one connected to an ADSL modem, the other
one connected to two tagged VLANs. IPv6 connectivity is enabled via
a gre(4) tunnel using the public (ADSL) interface.

- From the gateway itself, everything runs fast and smooth, I can
access every IPv6 service without any lag. But from the machines
located on the private VLAN, behind the gateway, I am witnessing
"hangs" while receiving HTTP data, but also during SSH sessions.

I spent quite a lot of time trying various techniques like
reducing the MTU on different interfaces, and finally I tried
flushing PF rules, which led to fully functionnal IPv6
Digging a little bit further, a friend suggested to add a
pass with "no state" on the private interface of the gateway,
and as a matter of fact, IPv6 traffic is still working. But as
soon as I get rid of this rule, I still witness hangs.
Also, even if the only rules loaded by PF are plain pass, IPv6
TCP sessions will also hang.

Does this behaviour rings a bell to anyone?

- ------------------------------------------------------------------
Emile "iMil" Heitor .°. <imil@{,,}>
              |        | ASCII ribbon campaign ( )
              |  |  - against HTML email  X
              |        |              & vCards / \

Version: GnuPG v1.4.12 (NetBSD)


Home | Main Index | Thread Index | Old Index