pfsync and asymmetric paths
Yar Tikhiy
yar at comp.chem.msu.su
Fri Jun 10 14:59:36 GMT 2005
Excuse me for a late reply, I missed your mail.
On Fri, Jun 03, 2005 at 02:07:41PM +0100, Greg Hennessy wrote:
>
> > Is it by design? I'd like to make the asymmetric
> > configuration functional if possible at all, but I've been
> > unable to find any background information on the issue, such
> > as mailing list discussions or whatever.
>
> Silly question, why are you not using CARP and using the virtual IP as the
> egress/ingress next hop on both sides ?
Alas, CARP is not applicable in every case, sometimes one have to
run OSPF etc. And what I'd like to have functional looks like a
simple yet reasonable generalization from just a set of interchangeable
PF boxes to an actually distributed stateful packet filter that
won't care about which of its nodes sees an IP packet.
P.S. In OSPF, one can assign different costs to the paths, but that
would break nice symmetry of the network configuration I considered.
--
Yar
More information about the freebsd-pf
mailing list