Re: load-balancing outgoing connections openned by the firewall on 3.6

[Emilio Lucena]

Daniel,

That state-policy if-bound option really helped a lot. Thanks. Now
outgoing connections are indeed being load-balanced.

However, I have noticed something strange. The connections re-routed to
the second interface are somewhat slower. Using a packet sniffer, I could
see what might be the cause. It appears that, for some unknown reason, PF
is RST'ing the first TCP connection setup (just after receiving a TCP
SYN+ACK packet), waiting a while, and then establishing a new TCP
connection. Only then, the actual payload is transfered (I noticed this
with POP3, SMTP, HTTP connections). Apparently this is going on for every 
TCP connection needed.

The use of "pfctl -x m" showed some error messages that might be of 
interest. For instance, below is the messages showed after I attempted to 
telnet to an Internet host on port pop3:

Apr  1 18:52:56 blt-ha /bsd: pf_map_addr: selected address 200.157.227.183
Apr  1 18:52:56 blt-ha /bsd: pf_map_addr: selected address 200.157.227.183
Apr  1 18:52:56 blt-ha /bsd: pf_map_addr: selected address 200.157.227.183
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.177.74.139
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.177.74.139
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.177.74.139
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.157.227.1
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.157.227.1
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.157.227.1
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.157.227.183
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.157.227.183
Apr  1 18:52:58 blt-ha /bsd: pf_map_addr: selected address 200.157.227.183
Apr  1 18:52:59 blt-ha /bsd: pf_map_addr: selected address 200.177.74.1
Apr  1 18:52:59 blt-ha /bsd: pf_map_addr: selected address 200.177.74.1
Apr  1 18:52:59 blt-ha /bsd: pf_map_addr: selected address 200.177.74.1
Apr  1 18:52:59 blt-ha /bsd: pf: state insert failed: tree_ext_gwy lan: 
200.177.74.139:60619 gwy: 200.177.74.139:60619 ext: 200.154.55.3:110
Apr  1 18:52:59 blt-ha /bsd: pf: state insert failed: tree_ext_gwy lan: 
200.177.74.139:60619 gwy: 200.177.74.139:60619 ext: 200.154.55.3:110
Apr  1 18:52:59 blt-ha /bsd: pf: state insert failed: tree_ext_gwy lan: 
200.177.74.139:60619 gwy: 200.177.74.139:60619 ext: 200.154.55.3:110
Apr  1 18:52:59 blt-ha /bsd: pf_map_addr: selected address 200.157.227.1
Apr  1 18:52:59 blt-ha /bsd: pf_map_addr: selected address 200.157.227.1
Apr  1 18:52:59 blt-ha /bsd: pf_map_addr: selected address 200.157.227.1

Any reason for this kind of behaviour?

Thanks again.

Regards,

Emilio