Am 2012-06-13 09:55, schrieb Insan Praja SW:
Hi,
On Wed, 13 Jun 2012 08:07:31 +0700, Stuart Henderson
<s...@spacehopper.org> wrote:
On 2012-06-12, Simon Perreault <simon.perrea...@viagenie.ca> wrote:
On 2012-06-12 14:08, Bernd wrote:
I've got two OpenBSD 5.1-stable/amd64 boxes employed which do all
the
routing for our AS (OpenBGPd and OpenOSPFd). I see asymmetric
traffic (I
thought it to be that way), which itself doesn't really create
problems.
However, I see problems with ICMP. pf seems to drop all but the
first
response from any of the hosts within our network (seen from the
Internet).
Any idea how to deal with this? As soon as I turn off pf,
everything
runs smoothly.
Without having the details of your setup, the big principle is: pf
is
stateful (by default). Statefulness doesn't play well with
asymmetric
routing. I'm sure if you investigate a little bit more you'll
discover
it's not limited to ICMP.
In the end the solution will be one of: remove statefulness, avoid
asymmetric routing, or share state with pfsync.
If using pfsync for this, you would want to look at "defer", see
pfsync(4).
I think I had the same problem. Please visit
http://marc.info/?l=openbsd-misc&m=133957370427451&w=2
I saw it and instantly wished I'd have seen your mail about 24 hours
earlier... ;)
Sloppy states might be more appropriate for this scenario though,
and
would let you use other things which require state tracking, e.g.
pflow(4).
Thanks,
Insan Praja
Best,
Bernd
