On 2015-02-13, Adam Thompson <athom...@athompso.net> wrote: > I've got two OpenBSD 5.6-STABLE (courtesy of M:Tier packages, thanks > guys!) BGP routers running carp & pfsync between them for some of the > "internal" interfaces. Yes, I probably should have done this using two > routers, two firewalls & ECMP, but I didn't have enough hardware, so I > collapsed the firewall function onto the routers and used CARP instead > of ECMP for outbound traffic.
That should work - I'm doing exactly this (though not 5.6-stable) on the routers in front of a machine that I have long-running connections to and I'd definitely notice problems like this. Some differences compared to your setup, though I don't see why they would change anything: my syncdev is a directly cabled connection, I'm using the default multicast setup not syncpeer, I'm not using pflow. > So... at this point, what problem indicators (counters? log messages?) > should I be looking at or monitoring? pfctl -si might give some clues. One common problem: is your state limit sufficiently high? (will show as "memory" iirc). You might either need to set the "defer" flag on the pfsync(4) interface, or use "flags any" on your pf rules, to cope with incoming and outgoing traffic taking different paths.
