pfsync - Active/Active + defer on

Plamen Mladenov f0x0ff at
Thu Apr 1 11:37:15 UTC 2021


I'm trying to setup an active-active PF cluster (consists of 2 freebsd
hosts:FW1 and FW2)  using pfsync and dynamic routing protocol (CARP is not
used at this deployment)

All works as expected when IN/OUT traffic for a single session is
symmetrical (uses either FW1 or FW2). The problem I'm facing is when the
traffic is asymmetrical
For example:

(1) Client ----------TCP SYN ---------> FW1
-------------------------------------> Server
(2) Client <--------------------------------- FW2 <------- TCP
SYN+ACK------- Server

Client is sending TCP segment with SYN flag set which is received and
allowed by FW1 and send to the Server.
Server is replying with TCP segment with SYC and ACK flag sets (just as per
TCP 3 way handshake), but this TCP segment is routed to FW2.  At that time
FW2 haven't received the SYNC-SENT session (from FW1) yet and therefore it
denies that TCP segment. Few miliseconds after that FW2 gets the session
from FW1, but the SYN+ACK is already dropped and a TCP re-transmission

I've found that this behavior can be fixed with pfsync "defer" option,
however based on my lab and prod tests - this option is not changing
anything. As per my understandings, the initial packet should be delayed
until session is replicated between both firewalls, but that's not the case.

My other concern is that although the "defer" option is there (I can
successfully turn it on/off and see it with ifconfig pfsync0) I can't find
a word about it in man 4 pfsync on FreeBSD (unlike in OpenBSD
documentation) which it makes me think - there is a reason why it's not in
the man page.

Can someone confirm - is pfsync "defer" option working on FreeBSD?

Plamen Mladenov

More information about the freebsd-pf mailing list