Might have been PF reassemble that had issues with fragments coming in to different hosts, where at least one of the active PFs would be waiting forever for the missing pieces to arrive also. The solution was to not PF on routers anyhow, and that is good separation of duties in any case.
2013/9/4 andy <a...@brandwatch.com> > On Wed, 4 Sep 2013 15:19:07 +0200, Janne Johansson <icepic...@gmail.com> > wrote: > > Our ospfd boxes didn't like having PF on during failovers, while having > > ospf redundancy upwards and carp redundancy downwards, since PF normally > > doesn't like when it can't see the whole flow. Perhaps doing > sloppy-states > > could have "fixed" it, perhaps no-state could have done it, but in the > end, > > we decided to use routers as routers and FWs as FWs. HW is cheap today. > > > > Yea thats what I thought from reading other peoples experiences with > active-active etc. We will have BGP (v4 and v6) up stream, OSPFv4 up, > OSPFv6 up and down, and CARP (v4 and v6) up and down.. (I.e, RFC1918 > internally so v4 with NAT, but v6 fully routed). > All this considered I think we should stick with active-backup. > Andy > > > > > > > 2013/9/4 andy <a...@brandwatch.com> > > > >> On Mon, 02 Sep 2013 09:56:46 -0400, John Jasen > >> <jja...@realityfailure.org> > >> wrote: > >> > Please forgive the top posting. > >> > > >> > If you have enough systems, can you hit the performance goals with > carp > >> > and active load balancing? > >> > > >> > >> I did think about that but these boxes will also be running OpenOSPFd > and > >> OpenBGPd (will be our WAN edge), and so to add active-active CARP load > >> balancing could prove very problematic??? Anyone with any experience on > >> BGP > >> and OSPF with active-active? > >> > >> Cheers, andy. > >> > >> > > >> > On 09/02/2013 09:53 AM, Andy wrote: > >> >> If only you could 'buy' more time or make days longer.. ;) > >> >> > >> >> Because I know the OpenBSD developers are working hard on this and > >> >> take > >> >> it very seriously, we have decided that we are going to continue to > >> >> use > >> >> OpenBSD for these new 10G firewalls because the initial load is only > >> >> going to be around 500-600kpps. We are currently getting ~450kpps > >> >> using > >> >> HP DL160's, and this hardware should be much more powerful than > those. > >> >> > >> >> And I have faith ;) that by the time our load increases MP > networking > >> >> will be available. > >> >> > >> >> Also I'm very willing to beta test the new ALTQ code? I was chatting > >> >> to > >> >> Theo briefly a few weeks back and he said I should ask for the code > >> >> but > >> >> I cannot remember who in the team he said I should message for this? > >> >> I'm not a coder but I'm happy to contribute as and where I can :) > >> >> > >> >> Andy. > >> >> > >> >> > >> >> On Mon 02 Sep 2013 13:02:42 BST, Kenneth R Westerback wrote: > >> >>> On Mon, Sep 02, 2013 at 01:41:58PM +0200, Denis Fondras wrote: > >> >>>> Hi Mike, > >> >>>> > >> >>>> Le 02/09/2013 13:21, Mike Belopuhov a ?crit : > >> >>>>> We are trying to address problems with MP networking right now, > >> >>>>> but due to the lack of manpower the progress is slow. > >> >>>>> > >> >>>> > >> >>>> What would you need to accelerate ? Developpers, testers, time, > >> money, > >> >>>> hardware, something else ? > >> >>>> > >> >>>> Denis > >> >>> > >> >>> All of the above. If you can provide time especially I'm sure Mike > >> would > >> >>> be very interested in having more of it. :-) > >> >>> > >> >>> .... Ken > >> >> > >> > > >> > > >> > -- > >> > -- John Jasen (jja...@realityfailure.org) > >> > -- No one will sorrow for me when I die, because those who would > >> > -- are dead already. -- Lan Mandragoran, The Wheel of Time, New > Spring > >> > >> > -- May the most significant bit of your life be positive.
