Hi Maxim,
Thanks for your feedback. The firewall setup is productive already
so I don't really want to mess it up with compiling right now. I'de rather
wait for an official patch or upgrade to OpenBSD 5.1 next May.
So in the
meantime and as suggested I have used adaptive.start/.end to keep the states
at a reasonable value on the on the backup firewall with:
set timeout {
adaptive.start 10000, adaptive.end 30000 }
So despite this small issue, is
the fail-over with keeping states still functional?
Regards,
ML
-----
Original Message -----
From: Maxim Bourmistrov <m...@alumni.chalmers.se>
To: ML
mail <mlnos...@yahoo.com>
Cc: "misc@openbsd.org" <misc@openbsd.org>
Sent:
Wednesday, November 9, 2011 10:30 AM
Subject: Re: pfsync states growing on
carp backup firewall
You might test to pull down if_pfsync.c from -current
or
flush states much sooner on failover with pf.conf (adaptive.start
adaptive.end)
//maxim
On Nov 9, 2011, at 9:49 AM, ML mail wrote:
> Hi,
>
>
I am running OpenBSD 5.0 amd64 on two firewalls using CARP (one master
> and
one backup) for redundancy/fail-over purpose. Now on the backup firewall I
>
noticed that the states synchronised using pfsync on a dedicated NIC with a
>
cross-over cable are at least double as much as on the master firewall. So for
> example right now there are 15k states on the master firewall and 40k on the
> backup firewall. From my understanding these numbers should pretty much
>
correlate.
>
> I don't have the feeling I've been doing anything wrong
neither as
> I have documented myself about how configuring CARP and have been
running it
> successfully before using OpenBSD 4.4 (I just re-installed with
OpenBSD 5.0).
> Just in case here are the relevant hostname.* config files:
>
> #
> /etc/hostname.em7 (master fw)
> inet 10.10.10.1 255.255.255.0
>
> #
>
/etc/hostname.em7 (backup fw)
> inet 10.10.10.2 255.255.255.0
>
>
> #
>
/etc/hostname.pfsync0 (master fw)
> up syncpeer 10.10.10.2 syndev em7
>
> #
>
/etc/hostname.pfsync0 (backup fw)
> up syncpeer 10.10.10.1 syndev em7
>
>
Could it
> be that my cross-over cable is somehow faulty? or my config is
wrong?
>
> Thanks
> for the feedback.
>
> Regards,
> ML
