On 2/1/21 8:20 PM, Kapetanakis Giannis wrote:
> On 02/02/2021 05:18, Jordan Geoghegan wrote:
>> Hello,
>>
>> I had a question about using relayd with pfsync.
>>
>> I have a small gateway/load-balancer set up with relayd, carp and pfsync 
>> plus BGPd for IP failover, and everything is working great. I was pleasantly 
>> surprised at how easy it was to get pfsync tunnelled over wireguard. Things 
>> failover perfectly, and I'm happy as a clam.
>>
>> I however do have a question about some pfsync/relayd details that I'm not 
>> fully clear on:
>>
>> With all the plumbing being done with relayd and all the associated 
>> TCP/TLS/HTTP(s) checks it's doing, it ends up setting up and tearing down a 
>> decent number of connections on a recurring basis. I know in PF you can use 
>> the "no-sync" keyword to prevent states created by certain rules from being 
>> synced across the wire, but I haven't found a way to do this with 
>> rules/states generated by relayd.
>>
>> It's probably largely irrelevant in the grand scheme of things, but I found 
>> it slightly irritating having hundreds or thousands of state table entries 
>> experiencing constant churn while being synced over the wire. Having the 
>> noise from the relayd connectivity checks syncing back and forth makes using 
>> tcpdump on a pfsync interface much less convenient. All these state table 
>> entries will never be used should the machine fail-over, as all the 
>> connectivity checks are initiated from the local IP address, rather that the 
>> CARP address.
>>
>> So I guess what I'm trying to ask is: Is there a way to have relayd not sync 
>> it's TCP/TLS/etc connectivity checks via pfsync?
>>
>> I was hoping to get a sanity check here so I can confirm weather or not I'm 
>> totally off base here.
>>
>> I currently have "keep state (no-sync)" peppered throughout my config for 
>> rules I want excluded from pfsync, as the pf config is quite simple. Maybe 
>> I'm missing something obvious, but is there a "sync" option? ie the ability 
>> to manually specify exactly which rules/states you want synced?
>>
>> Would some sort of rule like "pass out on $int_if proto tcp to any user 
>> _relayd keep state (no-sync)" do what I want, or would that also catch the 
>> traffic I'm trying to load balance as well?
>>
>> Any insight or advice would be much appreciated.
>>
>> P.S  Sorry for the wall of text
>>
>> Regards,
>>
>> Jordan
>
> Hi,
>
> As you said, you can use the no-sync.
>
> Relayd checks don't create any pf rules. Only the listen creates rules
> pfctl -sr -a'relayd/ldap'
>
> pass in quick on rdomain 0 inet proto tcp from any to x.x.x.x port = 636 
> flags S/SA keep state (tcp.established 4200) tag RELAYD_ldap rdr-to <ldap> 
> port 1636 least-states sticky-address
>
> local checks from LB to hosts can have the no-sync.
> I have these in my config
>
> # checks from LB
> pass out quick on $ldap_if proto tcp from ($ldap_if) to ($ldap_if:network) 
> port {1389, 1636} keep state (no-sync)
>
> Maybe you have another rule (out on $ldap_if) before, that allows the traffic?
>
> I handle incoming traffic (to LB) with pftag on relayd.conf and I 
> specifically allow them on out direction.
>
> # client rules
> pass out quick on $ldap_if tagged RELAYD_ldap keep state (tcp.established 
> 4200)
>
> G
>
>

Hello,

Thanks for the sanity check, I've got everything working as expected now!

I need to learn to step away from the keyboard when I'm getting tired and 
frustrated. The answer seems obvious in retrospect, but at least its figured 
out now.

Regards,

Jordan


Reply via email to