On 5/11/22 12:32, Tom Smyth wrote:
Hello Folks, We are updating some course material for an upcoming PF firewall course, and I would like to put a call out to those who use PFsync in a redundant firewall cluster about your user experience, have you come across any edge cases? have you any tips or tricks about PFSync. have you come across any edge cases / minor misconfigurations / suboptimal configurations that caused problems, were there some tweaks you had to make to make your system scale ? it is likely that people who are running PFSync have more complicated firewall configs. and I would like to see what tuning other people have done in the field. I would appreciate any feedback or problem descriptions (with our without solutions) what is the largest throughput firewall you deployed with PFSync? how was your experience of running with PFsync vs without PFsync on your firewall. Thanks again,
I've run pfsync + CARP for a number of years now. One interesting "gotcha" I discovered when building an IPv6-only test network was that pfsync does not work in an IPv6-only environment. I tried both unicast and multicast configurations to no avail. When pfsync has a parent interface that only has an IPv6 address assigned (ie no IPv4 at all), no pfsync traffic transits the interface. Just thought I'd share this little tidbit since you were looking for edge cases and gotchas and since IPv6 support (or lack thereof) is not mentioned in the manpage.
Regards, Jordan
