I did a bit of experimentation over the weekend and found something interesting.
First, a very short re-hash of my problem since it's been a while since my last post. A diagram: http://webpages.charter.net/cycler/network.txt There are two subnets, one for the servers, and one for the workstations. Traffic outbound to each internet connection is great. Traffic between each subnet will stall/hang. If I take one router offline, and leave one router as master for both subnets, traffic is great in all directions. Each router is multi-homed, and has a connection to both subnets. I have discovered through testing (see my previous posts in this thread) that when traffic enters one router (say hobbes) from the workstation network (192.168.20.0), and is destined for the server network (192.168.30.0), that traffic will exit hobbes on fxp1 and never reach calvin. Even though calvin is master for the gateway ip (192.168.30.1) on the server network, and hobbes is the backup. This means that return traffic from the server network is entering calvin (because it is the master carp default gateway) and never going back to hobbes either. Traffic enters the network one way, and returns along a different path. So what I did this weekend was to add a route-to rule stating that any traffic entering on the workstation interface, and destined for the server subnet should be routed to the server gateway. I also did this for the opposite (traffic entering the server interface and destined for the workstation subnet). This essentially works, and traffic actually goes to the proper router for the given subnet. However, it is very very slow. I also found a considerable amount of blocked traffic on say xl1 coming from 192.168.20.0 that I did not expect. Further, if I ping across the subnets, without fail my first ping will time out, and subsequent pings will work. It's almost like the traffic has two potential paths, tries the first, fails, and resorts to the second. Am I missing some reply-to traffic here that I should be doing some further filtering on? ------------------------------------------------------------------------------------------- workstation_net = "{ 192.168.20.0/24 }" workstation_gw = "192.168.20.1" server_net = "{ 192.168.30.0/24 }" server_gw = "192.168.30.1" pass in log quick on $server_if route-to ($workstation_if $workstation_gw) from $server_net to $workstation_net keep state flags S/SA pass in log quick on $workstation_if route-to ($server_if $server_gw) from $workstation_net to $server_net keep state flags S/SA ** See the original post in this thread for a full pf.conf Steve
