As you deduced, the way the MS load balancer works is to have a single IP address mapped to a multicast address. Then when a TCP connection starts it responds with an ARP packet to redirect traffic from that host. > When packets are dnatted to the internal ip, the kernel modifies the > destination ip and ethernet address of the packet to send to 03:bf; it's > then passed to the bridge, the bridge can't correlate the 03:bf hardware > address with any particular interface, fails 'open' and sends the frame > out of all the interfaces on the bridge (to the 03:bf ether address). Since it is a multicast address, it isn't bound to any particular interface. The simplest fix would be to just add filtering rule to block that address leaking back out other interfaces.
