Hi all, I've a problem with a cluster of OpenBSD firewalls. I don't see an immediate clean solution, but some of you may shed some light on it! ;) The two firewalls manage 50 vlans, each one has a corresponding carp interface. The two firewalls exchange state information via pfsync on a dedicated gigabit interface. For balancing reasons, one firewall is the master for half the vlans, the other firewall is the master for the other half. Everything is working well, except for the communications between vlans the reside on different firewalls. As an example:
FW1 is master for: vlan1 vlan2 vlan3 FW2 is master for: vlan4 vlan5 vlan6 Communications between vlan1, vlan2 and vlan3 are fine. Communications between vlan4, vlan5 and vlan6 are fine too. This is because they all reside on the same physical firewall. Communication between vlan[1-3] and vlan[4-6] fails, because traffic originating from i.e. vlan1 and going to vlan4 does not get routed to FW2, but remains on FW1 (since the vlan being up creates the local route, even if the corresponding carp interface is down). This situation creates an asimmetry in the traffic, that disrupts the state table. The state gets created on the originating firewall, and while some of them get replicated to the other firewall by pfsync, not all of them are (of course pfsync has not been designed to be realtime, it does what it can!) thus breaking reliable communication between vlans. The only workaround I can think about now is to simply keep all the masters on one firewall. Is there any other means to make it working as I intended it? Perhaps shutting down the vlans for which the carp state is backup via ifstated? Thanks, ]\/[arco -- I'm Winston Wolf, I solve problems.
