I have servers, each with a public IP in a /28 VLAN. On these servers I have a 10.0.0.0/24 VLAN with some aliases configured.
The servers can talk via the public v4 addresses as well as internally via the 10.0.0.0/24 IPs. Now I wanted to create LAN only jails and set up a simple NAT with pf. This works BUT it is very very slow. Every connection I open from within the jail to the public internet has a ~5 second delay before things happen. A
In pflog I can see for example the initial drill query going through the nat and the response getting through 5 seconds later.
In my rc.conf I have
The servers can talk via the public v4 addresses as well as internally via the 10.0.0.0/24 IPs. Now I wanted to create LAN only jails and set up a simple NAT with pf. This works BUT it is very very slow. Every connection I open from within the jail to the public internet has a ~5 second delay before things happen. A
drill www.google.com @8.8.8.8 takes 5s like everything else and I'm absolutely puzzled where this delay is coming from.
Code:
set skip on lo0
scrub on em0 all
ext_if = "em0"
lan_if = "vlan0"
nat on $ext_if from {vlan0:network} to any -> ($ext_if)
pass allIn pflog I can see for example the initial drill query going through the nat and the response getting through 5 seconds later.
Code:
sudo tcpdump -eni pflog0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
12:28:29.611433 rule 0/0(match) [uid 0]: nat out on em0: 10.0.0.2.54528 > 8.8.8.8.53: 31971+ A? www.google.com. (28)
12:28:34.835908 rule 0/0(match) [uid 0]: nat out on em0: X.X.X.X.57044 > 8.8.8.8.53: 31971+ A? www.google.com. (28)In my rc.conf I have
gateway_enable="YES" set of course. Any help / ideas would be appreciated greatly