I know this has been beaten up before but I didn't see this particular issue addressed.
I have dual firewalls (carp'd) with dual ISPs. I perform outbound load balancing per the following lines in pf.conf: nat on fxp0 from $lan_net to any -> (carp0) nat on fxp1 from $lan_net to any -> (carp1) pass in on fxp2 route-to { (fxp0 10.2.2.2), (fxp1 10.3.3.3) } round-robin inet from $lan_net to any keep state pass out on fxp0 all queue usert pass out on fxp1 all queue usert I have users connecting to certain https sites who have some issues. When my users connect to the site they are load balanced and nat'd out my two ISPs. So if the site uses cookies it seems to break the "session". I tried, pass in on fxp2 route-to { (fxp0 $ext_gw1), (fxp1 $ext_gw2) } round-robin sticky-address proto tcp from $lan_net to any port 443 keep state But this only seemed to keep a sticky address for each remote IP address. If a site uses multiple IP addresses, say one for the main site and another to process credit cards, my user might hit the main site with an ISP1 address and the processing site with an ISP2 address. This seems to confuse the remote site, which resets the entire session. The theory is that the site cookie is tied to the originating IP address. So, Is there an (easy) way to ensure that are local IP address "always" uses the same ISP? Currently, I gave up and resorted to, pass in on $int_if route-to { (fxp0 $ext_gw1) } proto tcp from $lan_net to any port 443 keep state Thanks, -Steve S.