Questions about PF + Multiple gateways + CARP on a public ip
network
Damien Fleuriot
ml at my.gd
Thu Feb 17 02:07:19 UTC 2011
On 16 Feb 2011, at 21:59, "kevin" <k at kevinkevin.com> wrote:
>> If you only have one gateway, then you have nothing to worry about for
>> this part.
>
> They provide a gateway address for each subnet they allocate to me -- which
> probably is assigned to the same device for them, but I would need to
> establish these rules in my freebsd firewall , correct?
>
Then you have different paths for inbound traffic right ?
This means you'll want to reply to any given packet via the same path it originally took, which was not necessarily your default gateway.
So, IMO, this implies the use of source routing, impersonated by pf's reply-to option rules.
>
>> If you expect a lot of traffic, I recommend you do NOT use pfsync to
>> synchronize existing sessions on the backup firewall.
>
> Why not? Is this a generally accepted practice not to use pfsync because of
> this? How much traffic is too much? The firewalls should average about 5,000
> - 10,000 states on any given day, afaik.
>
We had to disable pfsync here because it actually hogged way too many resources.
We're talking 100k+ states here with ~5k http requests per sec.
> Im more worried about failover than I am about states being kept, but it
> would be nice to utilize pfsync if it wouldn't be too risky.
You will be fine, 5-10k states isn't much.
Now I have absolutely no idea what kind of hardware you have, but this really isn't much.
We let go of pfsync only a few weeks ago and mostly as a precautionary measure with over 60k states at any given time.
More information about the freebsd-pf
mailing list