On 6/9/2020 7:36 AM, Stuart Henderson wrote:
IME the best setup for pfsync between 2 machines is to use a dedicated cross-connect (preferably configured for jumbo frames). Obviously that's not possible with >2 machines though.
Hmm, I had never considered using jumbo frames. It looks like based on the traffic level on my systems, the packets are generally below the default 1500 MTU anyway though, so it probably wouldn't help.
12:16:27.564940 lisa-bart.pbhware.com: PFSYNCv6 len 896 12:16:28.023806 lisa-bart.pbhware.com: PFSYNCv6 len 712 12:16:28.195774 bart-lisa.pbhware.com: PFSYNCv6 len 276 12:16:28.207817 lisa-bart.pbhware.com: PFSYNCv6 len 528
I'm undecided what's best to do with the group by default. But I never use syncpeer for that config, just the default with multicast, which I think is quite common - changing group based on whether or not syncpeer is used doesn't make sense to me.
I guess multicast would work too for a direct peer relationship, but it just seemed more accurate to explicitly configure the two peers.
Some documentation regarding the interaction of pfsync and the carp group might be helpful, along with a suggestion to remove the carp group from the pfsync interface in certain deployment scenarios. It would also be nice to document the dependency on the two rule sets being exactly identical in order to properly replicate rule specific state timeouts between them. It took me a while to sort out why that was failing. Maybe I will try to write something up; the source for the pfsync man page is in CVS, where is the source for webpages such as:
https://www.openbsd.org/faq/pf/carp.html#pfsyncop Thanks…
