Hey all

As part of my rollout today to Openbsd in my datacenter, I had a little
problem, well not entirely little

Here is the layout

8 TS boxes

ip config
192.168.0.20
192.168.0.21
192.168.0.22
192.168.0.23
192.168.0.24
192.168.0.25
192.168.0.26
192.168.0.27

They have a Load Balance IP of 192.168.0.19

All have the same mask and gateway.

Put in mind, client firewalls not changed and the exact setup worked fine when
my datacenter was behind Checkpoint NG

I have rules that say

pass quick log inet proto tcp from <staffsegments> to <TSNLB> port 3389 keep
state

There is also a rule
pass quick log inet from <TSNLB> to <staffsegments> keep state

While on the same segment in my office I can connect to the TS servers using
the load balanced IP but from a branch when try try
they just keep getting the connecting screen in RDP until it times out.

The rules are showing no blocks

There is no blocking over the VPN for the clients side at all. .All controls
done on the datacenter side

If I bypass the NLB ip on the client side and put in a redirect to so no
client changes are needed, it allows them to connect directly to one of the
ips above
rdr on $staff proto tcp from $staffseg to 192.168.0.19 port 3389 ->
192.168.0.20

Thus, this makes me see it as an issue with the keep state on the NLB ip,
which doesn't make alot of sense since the setup was 100% on checkpoint

Has anyone had an issue like this and have any recommendations?

Thanks

James