Hi, The pfsync manual page is a bit vague on the technical aspects.
It recommends a direct connection between machines, but this isn't easy/possible if the hosts are in different sites. Is it fine to use a vlan interface? If so, is it better to use a dedicated VLAN, or is it fine to use an existing linknet VLAN, which is already doing other traffic - including things like CARP and OSPF? It defaults to multicast over unicast. Is there a performance benefit to either? Are there any benefits to multicast over the ability to have more than 2 hosts and not needing to specify the peer? I assume ipsec is only needed/recommended if it's a public network. If it's done over a private network with RFC1918, then there is no need/benefit to tunnelling it, and in fact that would just make it slower? It looks like there is no facility for specifying multiple networks, so it will keep working in the event of a single link failure. Would it cause a problem to run two separate pfsync interfaces between the same hosts concurrently, over two separate links? Is there any way of seeing the status of pfsync, other than inspecting the state tables or testing something which requires state? The manual suggests: pass quick on <if> proto pfsync but would it not be better to be specific on the source and destination?: pass quick on <if> proto pfsync from <if>:network to <if>:network Thanks! Ian
