On 2020-06-08, Markus Wernig <liste...@wernig.net> wrote: > On 6/9/20 12:27 AM, Paul B. Henson wrote: > >> Yes, I am using a direct link between the two physical firewalls. > [...] >> Is this no longer a best practice? > > If it's in the documentation, I suppose it still is. > > But I have found it problematic, because taking down one firewall, or > even only its sync interface, will automatically demote the sync > interface on the other one, which then will affect the whole carp group, > if the interface is part of that group.
That is exactly what Paul's suggestion would help. IME the best setup for pfsync between 2 machines is to use a dedicated cross-connect (preferably configured for jumbo frames). Obviously that's not possible with >2 machines though. I'm undecided what's best to do with the group by default. But I never use syncpeer for that config, just the default with multicast, which I think is quite common - changing group based on whether or not syncpeer is used doesn't make sense to me.
