I'm going to repeat myself here because this has caused me countless headaches: Understand how switches figure out which port goes to which host. This can really bite you.
Here's an example Packet from SERVERS intended for INTENET Hits SW2, SW2 learns which port SERVERS is on SW2 does a discover, so the packet is sent out all ports packet goes to INTERNET, FW2 and back to SERVERS FW2 does a discover and learns which port goes toward SERVERS packet goes to SW1 and SW2 SW1 does a discover and learns which port goes toward SERVERS packet goes to INERNET, FW1 and FW2 FW1 does a discover and learns which port goes towards SERVERS FW1 has just learned that SERVERS is on the same port as INTERNET. If FW2 fails at this point, FW1 will not forward traffic to SERVERS. This will continue for as long as the learn cache lives, which is, I think, 10 minutes. I wound up putting static mac addresses in my bridge settings to avoid this problem. I also turned off learn on the interface pointing toward the INTERNET. This is by no means the only problem that can crop up. Be wary! -Dylan > ---------FW1---------- - > ---INTERNET----[SW1 |pfsync SW2]---------SERVERS > ---------FW2------------ >
