Hi, Thanks for the reply.
try without "block out log quick on $ext_if from !$ext_ip1 to any" rule.
I have other firewalls with the same rule which don't show the problem.
Actually it does neither, there is no need for the backend servers to access the internet directly.btw, is your firewall forwarding traffic or doing nat?
Can you show pfctl -sr and ifconfig output?
Looking again at the pfctl -s info output, I saw something which I missed the first time around:
State Table Total Rate current entries 668 searches 70482052 118.5/s inserts 8153087 13.7/s removals 8152419 13.7/s Counters match 10637818 17.9/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 1 0.0/s memory 2405587 4.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 510 0.0/s state-mismatch 2276240 3.8/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/sThe memory limit is hit almost the same amount of time as the state mismatches. It seems that my limits were simply too low. I have increased the limits (states/frags) and will see if the problem is resolved now.
Regards, Sebastiaan
smime.p7s
Description: S/MIME Cryptographic Signature
