Jason Stubbs wrote:
Complete lack of response is very disheartening...
Well, them's the breaks...
The data center was kind enough to provide for our situation with
something like this:
DC1 DC2
| |
SW1--------SW2
| |
FW1-pfsync-FW2
FW1/FW2 are OpenBSD running active/passive. DC1 and DC2 are VRRP routers
running active/active that fail over to each other. On the OpenBSD side,
I'll just round robin route between them.
I played with the pf source code a little though and got synchronous
pfsync mostly working. That is, I got connections via FW1 to a server
whos gateway was set to FW2 to work with the FWs states being
synchronized and no packets being dropped. My mods caused a few "BAD
STATE" messages to show up but they didn't seem to cause any problems. I
did break the bulk sync code though. I'll work on it a little more when
I've got time as beating the state race altogether seems doable without
too extensive modifications.
--
Jason Stubbs
