On 6/7/2020 5:21 PM, Markus Wernig wrote:
I don't see that behaviour on my carp pair. Are you using a cross-link
cable between the two firewalls? (You shouldn't, in my experience.)
Yes, I am using a direct link between the two physical firewalls. It
seems to be the configuration recommended by the documentation?
https://www.openbsd.org/faq/pf/carp.html
"The firewalls are connected back-to-back using a crossover cable on em1."
As well as in 'man pfsync':
"Only run the pfsync protocol on a trusted network - ideally a network
dedicated to pfsync messages such as a crossover cable between two
firewalls."
"A crossover cable connects the two firewalls via their sis2 interfaces."
Is this no longer a best practice?
