Hello, We have a bunch of bridged firewalls and we are now looking into using the pfsync "defer" feature to solve some problems with async states during failover.
However I discovered that the deferred packets (tcp SYN for example) are being sent out on the management interface of the firewall an not on the bridged vlan interfaces where they're supposed to go. In this case the traffic that goes the wrong way is destined for the firewall management network, but as it's only the SYN packet that goes that way, the firewall proctecting the management network will not set a state and drop subsequent packets. It probably takes this way because it's the shortest path to the other firewalls. If the defer flag is off, everything works as it should and traffic takes the right path. This has been tested on 4.9/amd64. Please let me know if I can supply more info, it's a pretty complex problem to explain. Best regards, Peter Hallin Lund University
