>> Get tcpdumps on both router interfaces with and without the "reassemble >> tcp" option. Do this for a similar file on both a working website and >> broken (ebay) website. > > On both router interfaces? Wouldn't the external if be enough?
You're probably right. But my theory is that if you're going to go to the effort of getting some comparable captures you may as well get them all at the same time. Having both external and internal is helpful for debugging issues with your router itself - i.e. it would indicate if the packets arrived looking good and then, after pf, looked bad.
