i'm currently testing a setup with soekris and the followinf network:
lan, dmz (private network too), internet (real common, no ?).
lan & internet setup is working ok for years, dmz is used recently.
problem is when i'm on the dmz (static or dhcp ip, wire or wireless),
http browsing is damn slow.
first, is the following nat rules is possible ? (nat on multiple
networks from different interface; problem ?)
nat on $ExtIF inet from $IntIF:network to any -> ($ExtIF)
nat pass on $ExtIF inet from $DmzIF:network to any -> ($ExtIF)
#nat on $ExtIF inet proto tcp from $DmzIF:network to any port
$DmzTcpServices -> ($ExtIF)
#nat on $ExtIF inet proto icmp from $DmzIF:network to any -> ($ExtIF)
<<<
here a tcpdump session, when launching a request from the browser on ebay:
# tcpdump -nlvv -i sis2 (dmz)
tcpdump: listening on sis2
16:26:53.761096 192.168.x.x.50212 > 67.15.52.101.80: S [tcp sum ok]
2218309624:2218309624(0) win 65535 <mss 1460> (DF) (ttl 64, id 12040)
16:26:53.877019 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1073405428 0> (DF) (ttl 64, id 12041)
16:26:56.761516 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1073405433 0> (DF) (ttl 64, id 12042)
16:26:59.261703 192.168.x.x.50216 > 83.243.22.157.80: S [tcp sum ok]
1633889475:1633889475(0) win 65535 <mss 1460> (DF) (ttl 64, id 12043)
16:26:59.761793 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1073405439 0> (DF) (ttl 64, id 12044)
16:27:02.762015 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460> (DF) (ttl 64, id 12045)
16:27:05.762175 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460> (DF) (ttl 64, id 12047)
16:27:08.762332 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460> (DF) (ttl 64, id 12050)
16:27:14.762731 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460> (DF) (ttl 64, id 12051)
16:27:17.763324 192.168.x.x.50212 > 67.15.52.101.80: S [tcp sum ok]
2218309624:2218309624(0) win 65535 <mss 1460> (DF) (ttl 64, id 12052)
16:27:23.263677 192.168.x.x.50216 > 83.243.22.157.80: S [tcp sum ok]
1633889475:1633889475(0) win 65535 <mss 1460> (DF) (ttl 64, id 12053)
16:27:26.763999 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460> (DF) (ttl 64, id 12054)
16:27:41.419117 192.168.x.x > 66.249.87.104: icmp: echo request (id:3acc
seq:0) (ttl 64, id 12069)
16:27:41.466961 66.249.87.104 > 192.168.x.x: icmp: echo reply (id:3acc
seq:0) (ttl 246, id 12069)
16:27:41.559668 192.168.x.x.50219 > 83.243.22.157.80: S [tcp sum ok]
2849475171:2849475171(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1073405523 0> (DF) (ttl 64, id 12070)
16:27:44.265145 192.168.x.x.50219 > 83.243.22.157.80: S [tcp sum ok]
2849475171:2849475171(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1073405528 0> (DF) (ttl 64, id 12071)
16:27:47.265259 192.168.x.x.50219 > 83.243.22.157.80: S [tcp sum ok]
2849475171:2849475171(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1073405534 0> (DF) (ttl 64, id 12072)
16:27:50.265437 192.168.x.x.50219 > 83.243.22.157.80: S [tcp sum ok]
2849475171:2849475171(0) win 65535 <mss 1460> (DF) (ttl 64, id 12073)
16:27:50.765624 192.168.x.x.50218 > 66.135.192.93.80: S [tcp sum ok]
1625842857:1625842857(0) win 65535 <mss 1460> (DF) (ttl 64, id 12074)
16:27:53.265839 192.168.x.x.50219 > 83.243.22.157.80: S [tcp sum ok]
2849475171:2849475171(0) win 65535 <mss 1460> (DF) (ttl 64, id 12075)
16:27:56.266398 192.168.x.x.50219 > 83.243.22.157.80: S [tcp sum ok]
2849475171:2849475171(0) win 65535 <mss 1460> (DF) (ttl 64, id 12076)
16:27:56.306471 83.243.22.157.80 > 192.168.x.x.50219: S [tcp sum ok]
1714885135:1714885135(0) ack 2849475172 win 17520 <mss 1460> (DF) (ttl
117, id 59798)
16:27:56.306792 192.168.x.x.50219 > 83.243.22.157.80: . [tcp sum ok]
1:1(0) ack 1 win 65535 (DF) (ttl 64, id 12077)
16:27:56.307392 192.168.x.x.50219 > 83.243.22.157.80: P 1:248(247) ack 1
win 65535 (DF) (ttl 64, id 12078)
16:27:56.351795 83.243.22.157.80 > 192.168.x.x.50219: P 1:164(163) ack
248 win 17273 (DF) (ttl 117, id 59800)
16:27:56.352143 192.168.x.x.50219 > 83.243.22.157.80: . [tcp sum ok]
248:248(0) ack 164 win 65535 (DF) (ttl 64, id 12079)
16:27:56.353354 83.243.22.157.80 > 192.168.x.x.50219: FP 164:687(523)
ack 248 win 17273 (DF) (ttl 117, id 59801)
16:27:56.353672 192.168.x.x.50219 > 83.243.22.157.80: . [tcp sum ok]
248:248(0) ack 688 win 65177 (DF) (ttl 64, id 12080)
16:27:56.355365 192.168.x.x.50219 > 83.243.22.157.80: F [tcp sum ok]
248:248(0) ack 688 win 65535 (DF) (ttl 64, id 12081)
16:27:56.394667 83.243.22.157.80 > 192.168.x.x.50219: . [tcp sum ok]
688:688(0) ack 249 win 17273 (DF) (ttl 117, id 59803)
16:27:56.482318 192.168.x.x > 66.249.87.104: icmp: echo request (id:3aec
seq:0) (ttl 64, id 12082)
16:27:56.530011 66.249.87.104 > 192.168.x.x: icmp: echo reply (id:3aec
seq:0) (ttl 246, id 12082)
16:27:56.593406 192.168.x.x.50220 > 83.243.22.157.80: S [tcp sum ok]
3438414445:3438414445(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1073405553 0> (DF) (ttl 64, id 12083)
<<<
second, for now, from dmz, ping/dns seems ok with values like the
network, but i don't find for now something more to investigate the
problem.
ideas ?
thanks
Regards
Julien
note: not added pf rules as it is a bit long ... if needed, will see
