Then you might tell me why, even with a source track entry set directing
traffic from one internal ip to one specific gateway, the packets
sometimes are redirected to the other gateway?
Because source tracking entries lives with state entries. As soon as the
state between the peers expire, your source tracking entry also
disappears by default.
Setting the time out "src.track" to any value other than zero (0) (whic
is the default value) will tell the kernel to keep the this tracking
entry after the expiration of last related state.
And something very weird happened in my test firewall. I putted 3
machines behind it, and one of them, with a source track of more than
one hour, suddenly started to get it's packets redirected to the other
gateway, and lost it's internet connectivity. I had to do a pfctl -k to
kill the source track entry of the machine.
I can not comment on this since I don't know the topology and your exact
config but sure, round-robin load balancing with sticky addresses works
perfectly in enterprise environments with huge loads (like 500K states).
"pfctl -k" (with lower k) will kill the states. Not source tracking. I
explain above how these src-track entries disappear after state
expiration (or kill).
I'll try to play with this timeout, and i read the man page. But nor the
FAQ, nor the man page said that you must set the src.track timeout. That
was the reason why i didn't messed with it.
Ok. It's becoming funnier. You don't even read the replies to you with
enough care. I've pasted you an excerpt from the man page.
"increase the global options with set timeout source-track"
...What do you think this very particular line means?
BTW. "set timeout source-track" is not valid in current pf
configuration. This line on man page may be changed with
s/source-track/src.track/
But following the man page will lead you to the related line
"src.track Length of time to retain a source tracking entry after
the last state expires."
Sorry but man pages are not like HOWTOs in Linux world. They won't
generally give you "copy & paste to make it work" guidance.
bdd
