Hello, I had a question about using relayd with pfsync.
I have a small gateway/load-balancer set up with relayd, carp and pfsync plus BGPd for IP failover, and everything is working great. I was pleasantly surprised at how easy it was to get pfsync tunnelled over wireguard. Things failover perfectly, and I'm happy as a clam. I however do have a question about some pfsync/relayd details that I'm not fully clear on: With all the plumbing being done with relayd and all the associated TCP/TLS/HTTP(s) checks it's doing, it ends up setting up and tearing down a decent number of connections on a recurring basis. I know in PF you can use the "no-sync" keyword to prevent states created by certain rules from being synced across the wire, but I haven't found a way to do this with rules/states generated by relayd. It's probably largely irrelevant in the grand scheme of things, but I found it slightly irritating having hundreds or thousands of state table entries experiencing constant churn while being synced over the wire. Having the noise from the relayd connectivity checks syncing back and forth makes using tcpdump on a pfsync interface much less convenient. All these state table entries will never be used should the machine fail-over, as all the connectivity checks are initiated from the local IP address, rather that the CARP address. So I guess what I'm trying to ask is: Is there a way to have relayd not sync it's TCP/TLS/etc connectivity checks via pfsync? I was hoping to get a sanity check here so I can confirm weather or not I'm totally off base here. I currently have "keep state (no-sync)" peppered throughout my config for rules I want excluded from pfsync, as the pf config is quite simple. Maybe I'm missing something obvious, but is there a "sync" option? ie the ability to manually specify exactly which rules/states you want synced? Would some sort of rule like "pass out on $int_if proto tcp to any user _relayd keep state (no-sync)" do what I want, or would that also catch the traffic I'm trying to load balance as well? Any insight or advice would be much appreciated. P.S Sorry for the wall of text Regards, Jordan
