> The two pfSense boxes are doing the load balancing inbound and it is > working well so F1 and L1 are the same box, F2 and L2 are the same > box, [Adam Thompson]
OK, that makes it more complicated, as I don't know how pf handles that situation. I know what happens if the packets actually egress and re-ingress, but not sure about the short-circuit case. > What I am getting is: Outside->V1@(FL1,FL2) gets balanced by > (FL1,FL2) to->(S1,S2 private addresses)->(S1,S2 respond to the > request)->(FL1,FL2 rewrite S1,S2 address with actual WAN interface > IP)->Outside > This causes a situation where you make the request to 1.2.3.4 but > the replies come back to you from 1.2.3.9 That means that, as I suspected, having L1/L2 running on F1/F2 is causing some sort of unexpected interaction. If you have the ability to temporarily turn up a physically separate system to do the load-balancing, I think you will find that everything "just works". Are you using the TCP Load Balancing feature, or are you using something like varnish? If you have to rely on outbound NAT rules to make this work, I suspect you'll quickly find that pf states expire on you for no apparent reason; if the outbound NAT isn't being handled by a 'match' statement, then you aren't matching the original incoming state, which means you'll shortly be dropping incoming connections. Trying not to flog a dead horse here, if you have to use AON to accomplish this, *something else* is *broken*. -Adam _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
