(Also posted on misc@ - some one here may have experience of this problem) I have the following pf.conf on two identical firewalls, which combine two external ISP connections to a single RFC1819 network, providing complete failover if the ISP drops off the edge of the world.
However, I notice that when I force the firewall to fail over that the states do not appear to function any longer, new states can be established just fine though. I am wondering if this is related to the tagging, or that the firewall has no default gateway, but neither seem to be definite causes. (As most of the rules repeat I have cut the config to just three IP addresses). int_network="172.22.96.0/24" int_if="bge0" ext_network1="12.22.96.0/24" ext_if1="dc0" ext_gw1="12.22.96.1" ext_network2="94.143.189.0/24" ext_if2="dc1" ext_gw2="94.143.189.1" pri_network="192.168.250.0/24" pri_if="xl0" int_carp0="carp0" ext_carp1="carp1" ext_carp2="carp2" outboundports="{ 20,21,22,25,43,53,80,443,2222,11500,60000:65535 }" mailports="{ 25 }" webports="{ 80, 443 }" webmailports="{ 25,80,110,143,443 }" dnsports="{ 53 }" webftpports="{ 20,21,80,443,60000:65535 }" fdlports="{ 25,80,11000 }" table <abuse_src> set limit states 100000 scrub in nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.15 to any ->\ 94.143.189.15 nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.16 to any ->\ 94.143.189.16 nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.17 to any ->\ 94.143.189.17 rdr on $ext_if1 proto tcp from any to 212.22.96.15 port $webports -> \ 172.22.96.15 rdr on $ext_if2 proto tcp from any to 194.143.189.15 port $webports -> \ 172.22.96.15 rdr on $ext_if1 proto tcp from any to 212.22.96.17 port $webports -> \ 172.22.96.17 rdr on $ext_if2 proto tcp from any to 194.143.189.17 port $webports -> \ 172.22.96.17 block drop log all block quick on { $ext_if1, $ext_if2 } from <abuse_src> pass out keep state pass in log on $ext_if1 proto { tcp } from any to 172.22.96.15 port \ $webports tag EXT_IF1 keep state pass in log on $ext_if2 proto { tcp } from any to 172.22.96.15 port \ $webports tag EXT_IF2 keep state pass in log on $ext_if1 proto { tcp } from any to 172.22.96.17 port \ $webports tag EXT_IF1 keep state pass in log on $ext_if2 proto { tcp } from any to 172.22.96.17 port \ $webports tag EXT_IF2 keep state p pass in log on $int_if route-to { ( $ext_carp2 $ext_gw2 ) } proto { \ tcp, udp } from $int_network to !$int_network port $outboundports keep \ state pass in log on $int_if route-to { ( $ext_carp2 $ext_gw2 ) } proto icmp \ from $int_network to !$int_network keep state pass out log on $int_if reply-to ( $ext_carp1 $ext_gw1 ) tagged EXT_IF1\ keep state pass out log on $int_if reply-to ( $ext_carp2 $ext_gw2 ) \ tagged EXT_IF2 keep state pass out log on { $ext_if1, $ext_carp1 } route-to ( $ext_carp2 $ext_gw2\ ) from { $ext_if2, $ext_carp2 } to any pass out log on { $ext_if2, $ext_carp2 } route-to ( $ext_carp1 $ext_gw1\ ) from { $ext_if1, $ext_carp1 } to any ### ### carp/pfsync specific, must be here like this in order for the failover to work pass quick on $pri_if proto pfsync pass quick on { $ext_if1, $ext_if2, $int_if } proto carp keep state ### ### private interface, this is the emergency rule to contact the other ### box should the private/public interface be blocked for some reason, ### we should have this as a reserve pass quick on $pri_if from $pri_network pass quick on { lo } -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g