Thanks a lot, folks!
The problem is solved - I put a "checksum" module between the firewall and the "nat" module (I have netgraph[1] modules), and that works now as expected. Apparently, when NAT-rewriting the address of a /locally created/ packet, at the time of rewriting the checksum has not yet been computed (because it cannot yet be determined if it should be computed or offloaded). Then the act of rewriting will "correct" that non-existant checksum (to a wrong value, obviousely) only to achieve that it no longer appears as nonexistant, and will not be correctly created at a later time either. This does probably concern a lot of NAT libaries, only we do usually not change the address of the local node itself, only those of other nodes from inside our lan - and so the issue doesn't hit. It shouldn't harm named either, because named has a proper configurable source-ip - so maybe I just found an issue during testing which wasn't even the original failure cause. (Somehow I manage to find bugs all the time - previous night it was one in NFSv4 [2].) Anyway, thanks for being with me! cheerio, PMc [1] https://en.wikipedia.org/wiki/Netgraph [2] https://lists.freebsd.org/archives/freebsd-fs/2025-February/004349.html -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
