On 15/06/2023 19:07, Peter Nicolai Mathias Hansteen wrote: >> On 15 Jun 2023, at 16:26, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> >> wrote: >> After applying some keep state (if-bound) on major rules, I 've already >> found a problem. >> >> pfsync. >> >> It copies the interface. The interfaces are different on the backup firewall >> so the states will not match if I demote master. >> >> Anyway to overcome this? Maybe filtering with same group name that is the >> same on both firewalls? > Yes, I was going to suggest creating interface groups and referencing those > in your rules instead of interfaces. > > - P
I believe that will only work for rule copying between the firewalls and not state copying with pfsync. State has an interface (or "all" for floating states) and that is copied between pfsync hosts. For example when filtering with egress group, pfsync copies the egress state's interface from primary firewall to backup (different interface names). It would be nice to add some kind of translation/mapping on the pfsync interface, to translate incoming remote states to local interface names. Don't know how difficult that would be. G
