NAT failure with 16.1 on Hyper-V #734
Comments
|
Can you try the following base/kernel on a 16.1 system? |
|
Jup, that apparently patch did the trick. Thanks! |
|
Unfortunately, that's a stock FreeBSD 10-STABLE version. We've been unable to find the cause of this yet, but we are trying to pin this down. Use with care. :) |
|
From your reply, I was wondering what the problem might be with the stock stable kernel, but uname shows me it's 10.3-PRERELEASE, so consider that question retracted ;-) |
|
some patches are missing (nat+traffic shaping, pf match keyword, pptp filter glue) we want to pin down the issue, then merge the single commit responsible into our 16.1 :) |
|
Maybe this is the same issue https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203630 ? |
|
@gitdevmod thanks, looks promising... providing a new build soon. |
|
How is this one then? |
|
That's no different from comment 2.. |
|
@andreas-p So it works? Just to be clear :) |
|
Yes, that kernel does fix the problem on Hyper-V. |
|
I'll take two "okays" out of three, thanks guys, will be shipped in 16.1.2 on Friday and also try to push FreeBSD to add that to 10.2 errata. |
I've upgraded a working 15.7.25 opnsense installation hosted on Hyper-V 2012R2 to 16.1. After that, a workstation located on the LAN segment didn't NAT to the outside world any more as expected. ICMP did work, but other traffic (http, ssh) didn't reach the target. Disabling checksum offload and hardware vlan didn't solve the problem, suricata is disabled, LAN has full access.
.
Symptoms are quite strange: accessing a remote test server from the firewall does work, tcp packets receive the destination. When the workstation initiates the traffic, I can see via tcpdump on the WAN interface that NAT is performed as expected, the outgoing packet is virtually identical to a SYNC packet initiated from the firewall itself (specifically, the source address is the outgoing interface ip). Still, the packets won't arrive if initiated by the client. Apparently, the packets are dropped after passing the tcpdump tap point.
I re-checked the situation, installing a fresh 15.7.25, everything working fine; cloning it and upgrading to 16.1, bummer. I now can switch back and forth between both versions, switching on and of the symptom.
The text was updated successfully, but these errors were encountered: