* Thomas Jacob > So in the scenario described, R1 wouldn't do any stateful packet > filtering for packets to and from the internal server network? But > the connections will be added to the connection tracking table of R1 > nonetheless (unless you use the NOTRACK target in raw), only not with > an ESTABLISHED state which probably means they timeout more often > than needed and you have more insert/remove actions over the > connection tracking hash table, maybe that's the source of your > problem. > > You could try the NOTRACK/raw thing on the (internal-)standby-router, Hmm. I was not aware of NOTRACK/raw. This is very interesting and on first look it seems like exactly the thing I needed. Thank you very much for the pointer! I'll dig into it now. :-) Regards -- Tore Anderson
