> > > > 1 - PF with the 'no state' rule should let the traffic flow, > it means that PF has a bug, or > 2 - PF behaves as expected and traffic must not flow, or > 3 - the 'no state' rule is the wrong rule to let the traffic flow. > If so, I ignore what rule should be used in /etc/pf.conf. > > Any thought is more than welcome > > I configured pfsync0 on 192.168.3.0/24. With this, ping works. As far as I understand, each echo request generates a state in PF, and this state is shared from VTEP1 to VTEP2. Anyway, ssh doesn't work. The tcp connection from 10.13.11.1 to VM2 is established. At this moment I see, with pfctl -s state, SYN entries for. 10.13.11.1 to VM2. But, after a while, ssh disconnects. Disconnection happens when the SYN entries in PF state are deleted, after a certain timeout. I see no ESTABLISHED:ESTABLISHED state in any moment, not in VTEP1 nor in VTEP2, I think that this is the reason of disconnection.
For now, I've resolved setting no state on packets from 192.168.3.0/24 to 10.13.0.0/16, and viceversa, and removing pfsync0 interfaces on both VTEPs. Ssh and ping works this way. Anyway, I would like to explore a configuration with pfsync that would work with ping and at least ssh.
