Hello,
We have a PF box in bridge mode sitting between "the network" and two
servers on the network:
Outside Interface (rl0): 10.111.1.30
Inside Interface (sk0): no IP address
The three servers behind the PF box are connected via a switch connected
to the inside interface:
Server 1: 10.111.1.25
Server 2: 10.111.1.33
Server 3: 10.111.1.34
So the basic layout is:
PF Box -> Switch (inside int) -> Servers 1-3
The bridge appears to be working, and we have the rules set to basically
allow anything (for testing purposes). However, the one thing we want
to do is have any traffic bound for the 10.111.1.30 address to
round-robin through a table that includes all three of the above
servers. So the rules basically look like this:
outside_if rl0
server1 10.111.1.25
server2 10.111.1.33
server3 10.111.1.34
table <roundrobin> persist { \
$server1, \
$server2, \
$server3 \
}
rdr on $outside_if proto tcp from any to 10.111.1.30 port 380 ->
<roundrobin> round-robin sticky-address
pass in all keep state
pass out all keep state
What we're seeing is that the traffic appears to be balancing correctly,
but connections are being dropped when the transfer of data takes a long
time - it doesn't seem to be a specific amount of time, but transfers of
large files seem to time out and lose connectivity before they are
finished. Brief connections (only a few small files or a small amount
of data) get through just fine.
Can anybody shed some light on what's going on? I apologize if the
rules above aren't exact - we're doing these from memory because we're
not currently logged in to it. We are receiving no errors when running
pfctl -nf /etc/pf.conf, so it doesn't appear to be a syntax error.
Any help will be greatly appreciated!
Thanks,
Mike Sweetser
