pfsync after reboot does not synchronize

David DeSimone fox at verio.net
Mon Jun 5 21:39:53 PDT 2006 

Kian Mohageri <kian.mohageri at gmail.com> wrote:
>
> > Why does pfsync synchronize the state tables when I use the
> > "ifconfig syncdev" trick to force a bulk update, yet it does
> > not do this when the system is booting up?
> 
> What does your rc.conf look like?

    gateway_enable="YES"
    pf_enable="YES"
    pf_rules="/usr/local/etc/pf.conf"
    pflog_enable="YES"
    pfsync_enable="YES"
    pfsync_syncdev="fxp0"

    defaultrouter="192.168.40.254"

    cloned_interfaces="carp0 carp1"

    ifconfig_dc0="inet 192.168.40.231 netmask 255.255.255.224"
    ifconfig_dc1="inet 172.16.30.2 netmask 255.255.255.0"

    ifconfig_fxp0="up"

    ifconfig_carp0="inet 192.168.40.230 netmask 255.255.255.224 vhid 230"
    ifconfig_carp1="inet 172.16.30.1 netmask 255.255.255.0 vhid 11"

As you can see, no IP is put on the sync interface; it is merely
configured up.  Auto-negotiation succeeds on both ends of the cross
cable:

    media: Ethernet autoselect (100baseTX <full-duplex>)

> > Why does pfsync keep repeating the bulk update request and then give
> > up?  What message is not getting through?
> 
> Are you running the same versions of everything on all nodes? 
> Different versions of pfsync can sometimes not keep state with
> eachother (3.8 -> 3.9comes to mind).

Both are FreeBSD 6.0-RELEASE cloned from the same disk.

> >    set skip on pfsync0
> >
> >    pass quick on fxp0 proto pfsync     # $pfsync_syncdev
> 
> Won't fix your problem, but if you 'set skip' on that interface, you
> don't need to 'pass quick' as filtering isn't applied.

Note that the "set skip" is on the pfsync0 pseudo interface, while the
"pass quick" is on the actual fxp0 interface.

Is there a protocol other than pfsync that should be permitted on that
interface?  I didn't expect I'd see any other protocol there, so I
didn't bother to allow anything else.

-- 
David DeSimone == Network Admin == fox at verio.net
  "It took me fifteen years to discover that I had no
   talent for writing, but I couldn't give it up because
   by that time I was too famous.  -- Robert Benchley

More information about the freebsd-pf mailing list