Hello, We have a PF box in bridge mode sitting between "the network" and two servers on the network:
Outside Interface (rl0): 10.111.1.30 Inside Interface (sk0): no IP address The three servers behind the PF box are connected via a switch connected to the inside interface: Server 1: 10.111.1.25 Server 2: 10.111.1.33 Server 3: 10.111.1.34 So the basic layout is: PF Box -> Switch (inside int) -> Servers 1-3 The bridge appears to be working, and we have the rules set to basically allow anything (for testing purposes). However, the one thing we want to do is have any traffic bound for the 10.111.1.30 address to round-robin through a table that includes all three of the above servers. So the rules basically look like this: outside_if rl0 server1 10.111.1.25 server2 10.111.1.33 server3 10.111.1.34 table <roundrobin> persist { \ $server1, \ $server2, \ $server3 \ } rdr on $outside_if proto tcp from any to 10.111.1.30 port 380 -> <roundrobin> round-robin sticky-address pass in all keep state pass out all keep state What we're seeing is that the traffic appears to be balancing correctly, but connections are being dropped when the transfer of data takes a long time - it doesn't seem to be a specific amount of time, but transfers of large files seem to time out and lose connectivity before they are finished. Brief connections (only a few small files or a small amount of data) get through just fine. Can anybody shed some light on what's going on? I apologize if the rules above aren't exact - we're doing these from memory because we're not currently logged in to it. We are receiving no errors when running pfctl -nf /etc/pf.conf, so it doesn't appear to be a syntax error. Any help will be greatly appreciated! Thanks, Mike Sweetser