Hi all, I've been having a headache using the round-robin with the sticky-address option. I do have two exit links, and I'm doing load balancing with the round-robin on the outgoing packets from the internal net and from my other 2 dmz's. This setup works perfectly with some exceptions. There are some buggy web applications that use ip address in the sessions, and i do have to put their ip address in a table and use normal routing in this case. I want to use sticky-address, to make one machine that initially go out through one link, keeps going out through this one, until there are no more states or connections. I did some tests using a virtual openbsd machine with vmware, and putted one machine behind it, and the virtual machine was doing load balancing, with the same rules i use in my main firewall (only changed ip address and interfaces on the macros). This test worked nicely, without problems.
Then, when i putted the sticky-address in the main firewall, strange things happened. The source-tracking states were created, but the machines, sometimes, were directed to the other link, not the one in the source-track. For example, when pinging an external address from an internal machine, the initial source track directed it to one of the links. The packets went right. Then, if i stopped the ping, and tried it again, the packets were directed to the other link. I confirmed this with tcpdump in the firewall's interfaces. Then, today i managed to get a switch, and putted more machines behind my test firewall. The sticky-address is working flawlessly. I don't know where to look. Both the main firewall and the test machine were mainly idle and with free memory, during the tests. There is some kind of limit with sticky-address? I read the man page, and saw that i can limit the number of source-tracks and/or states, etc. But i think that this isn't the right solution. Someone have a clue? Thanks in advance, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]