On 2008/03/11 23:01, Neil Sproston wrote: > I have a pair of OpenBSD 4.1 firewalls using pf with pfsync to provide > state synchronisation. > > To provide automatic routing around any network failures ospf is enabled > to allow the firewalls to exchange routing information with the routers. > > This has the effect that traffic might well pass through the cluster via > firewall1 and the reply exit via firewall2. I expected pfsync to cause pf > to be able to handle this but it does appear problematical in tests.
pfsync is meant to work with with some other protocol (carp or STP) which takes a short time to make the other firewall active, it's not designed for multipath routing. > Does anyone have any comments? Is this setup supported or recommended? No, but what you can do is track the status of the carp interface and only advertise into OSPF when carp is master. This should happen when you list the carp interface in ospfd.conf, which might be what you're already doing, but a regression in 4.1 broke this. It's fixed with patch 007 from the 4.1 errata; recompile & restart ospfd. (Or just upgrade to 4.2, which may be simpler to do, and gives you faster PF).
