Are you using route-to in your configuration? This has been partly fixed in -current; if the route-to rule is matching on an outbound packet the deferred packet will be routed correctly.
It is still broken in the case where route-to is on the inbound path; this is trickier to fix and I'm still considering options, none of which are very nice. There are several other problems with pfsync that have been fixed in -current, so you'd probably be best off running what, but if it's not possible I HIGHLY recommend moving to 5.1 when it's released. On Mon, Dec 12, 2011 at 08:13:48AM +0100, Peter Hallin wrote: > We have a bunch of bridged firewalls and we are now looking into using > the pfsync "defer" feature to solve some problems with async states > during failover. > > However I discovered that the deferred packets (tcp SYN for example) are > being sent out on the management interface of the firewall an not on the > bridged vlan interfaces where they're supposed to go. > > In this case the traffic that goes the wrong way is destined for the > firewall management network, but as it's only the SYN packet that goes > that way, the firewall proctecting the management network will not set a > state and drop subsequent packets. It probably takes this way because > it's the shortest path to the other firewalls. > > If the defer flag is off, everything works as it should and traffic > takes the right path. > > This has been tested on 4.9/amd64. > > Please let me know if I can supply more info, it's a pretty complex > problem to explain.
