Establish a IPSEC bewteen this 2 pfsync points is a way to go.
On Sat, May 9, 2009 at 2:44 AM, David DeSimone <f...@verio.net> wrote: > Sam Wun <swun2...@gmail.com> wrote: >> >> Have anyone tried pfsync over router or WAN? >> I have read setup guide of CARP+pfsync, the pfsync interface is >> connected through a crossover cable. Can I connect 2 pfsync >> interfaces through a router or WAN? > > pfsync(4) talks about this: > > NETWORK SYNCHRONISATION > States can be synchronised between two or more firewalls using > this interface, by specifying a synchronisation interface using > ifconfig(8). For example, the following command sets fxp0 as > the synchronisation interface: > > # ifconfig pfsync0 syncdev fxp0 > > It is important that the underlying synchronisation interface > is up and has an IP address assigned. > > By default, state change messages are sent out on the > synchronisation interface using IP multicast packets. The > protocol is IP protocol 240, PFSYNC, and the multicast group > used is 224.0.0.240. When a peer address is specified using > the syncpeer keyword, the peer address is used as a destination > for the pfsync traffic, and the traffic can then be protected > using ipsec(4). In such a configuration, the syncdev should > be set to the enc(4) interface, as this is where the traffic > arrives when it is decapsulated, e.g.: > > # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 > > It is important that the pfsync traffic be well secured as > there is no authentication on the protocol and it would be > trivial to spoof packets which create states, bypassing the > pf ruleset. Either run the pfsync protocol on a trusted > network - ideally a network dedicated to pfsync messages such > as a crossover cable between two firewalls, or specify a peer > address and protect the traffic with ipsec(4). > > For pfsync to start its operation automatically at the system > boot time, pfsync_enable and pfsync_syncdev variables should be > used in rc.conf(5). It is not advisable to set up pfsync with > common network interface configuration variables of rc.conf(5) > because pfsync must start after its syncdev, which cannot be > always ensured in the latter case. > > Syncing over a WAN doesn't seem like it would make sense, offhand. > Normally you psync between devices that will be able to provide routing > for a firewalled connection. A device far across a WAN doesn't seem > like it would be able to provide redundant service. But that's up to > your design, I suppose. > > Syncing across a LAN could make sense, but you will want to take steps > to secure the traffic. > > -- > David DeSimone == Network Admin == f...@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has been > sent, and may contain information that is confidential or legally protected. > If you are not the intended recipient or have received this message in error, > you are not authorized to copy, distribute, or otherwise use this message or > its attachments. Please notify the sender immediately by return e-mail and > permanently delete this message and any attachments. Verio, Inc. makes no > warranty that this email is error or virus free. Thank you. > _______________________________________________ > freebsd...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"