|
Hello,
I looked into this more. The problem was I didn't keep state on all
interfaces that the clustered traffic would pass through on that
router/bridge. After I put "keep state" on all interfaces that would
see that traffic it started working, so it is possible to do a stateful
firewall.
Very good.
I found an even better way. I put this in /etc/pf.conf on both openbsd
boxes and all traffic that gets passwd over the bridge is automatically
changed to have a correct mss of 1240
scrub on gif0 no-df max-mss 1240
Ahhh, there is the scrub rule I've been waiting for :). I have something
like this on one of my packet filters too.
So after this little bit of magic no changes are needed on the real
servers, and I'm pretty sure that you can have a failover director in
the other location, too, which I need to test to make sure it works
sometime because I have a director in each location.
Good luck and take care,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
|
