On 2006/03/10 12:19, Bryan Irvine wrote: > On 3/6/06, Bryan Irvine <[EMAIL PROTECTED]> wrote: > > The problem only happens with remote users that come in via T1 and > > don't go through the gateway. The machines they are connecting to are > > using 10.0.0.1 as it's gateway and seems to occassionaly choke when > > receiving an icmp-redirect from 10.0.0.2 (or 10.0.0.3 depending on > > which one is master) when it has queried 10.0.0.1.
Your post is missing a bit of information about the network, but if I'm not mistaken you sometimes have the start of the connection not passing through either firewall? If that's the case either make sure you allow packets from established connections that you don't have state for (this means you lose some of the protection of PF's stateful checking): i.e. don't use flags S/SA in the relevant rules... or rearrange the network routing so you don't need redirects (if you want advice on this you'll definitely need to post more details about the carp/PF setup, how the affected users reach the relevant hosts, etc: output from netstat -rn and ifconfig at strategic places will help illustrate, the PF ruleset may help too).