On 2011-12-12 08:13, Peter Hallin wrote: > Hello, > > We have a bunch of bridged firewalls and we are now looking into using > the pfsync "defer" feature to solve some problems with async states > during failover. > > However I discovered that the deferred packets (tcp SYN for example) are > being sent out on the management interface of the firewall an not on the > bridged vlan interfaces where they're supposed to go. > > In this case the traffic that goes the wrong way is destined for the > firewall management network, but as it's only the SYN packet that goes > that way, the firewall proctecting the management network will not set a > state and drop subsequent packets. It probably takes this way because > it's the shortest path to the other firewalls. > > If the defer flag is off, everything works as it should and traffic > takes the right path. > > This has been tested on 4.9/amd64. > > Please let me know if I can supply more info, it's a pretty complex > problem to explain. > > Best regards, > > Peter Hallin > Lund University >
OK, it is my understanding that the defer feature doesn't work with pure bridges is due to the fact that the information on which bridge a deferred packet came from isn't stored. Does anyone have any ideas on how to implement this feature in a bridged setup? The thing that happens now is that a deferred packet coming from a bridge will be sent out on the only interface with an IP address, in our case the management if. I think pfsync defer is a killer feature and I really hope it will work for us some day. Thanks, //Peter
