Date: Thu, 17 Feb 2011 03:06:56 +0100 From: Damien Fleuriot <ml@my.gd> To: kevin <k@kevinkevin.com> Cc: "<freebsd-pf@freebsd.org>" <freebsd-pf@freebsd.org> Subject: Re: Questions about PF + Multiple gateways + CARP on a public ip network Message-ID: <4B65A291-893E-4B5D-BE2F-E4A72A85C733@my.gd> In-Reply-To: <017801cbce1c$5d99fc90$18cdf5b0$@com> References: <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> <00cf01cbcdf2$d54f6100$7fee2300$@com> <4D5BF6FE.8090704@my.gd> <017801cbce1c$5d99fc90$18cdf5b0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16 Feb 2011, at 21:59, "kevin" <k@kevinkevin.com> wrote: >> If you only have one gateway, then you have nothing to worry about for >> this part. >=20 > They provide a gateway address for each subnet they allocate to me -- whic= h > probably is assigned to the same device for them, but I would need to > establish these rules in my freebsd firewall , correct? >=20 Then you have different paths for inbound traffic right ? This means you'll want to reply to any given packet via the same path it ori= ginally took, which was not necessarily your default gateway. So, IMO, this implies the use of source routing, impersonated by pf's reply-= to option rules. >=20 >> If you expect a lot of traffic, I recommend you do NOT use pfsync to >> synchronize existing sessions on the backup firewall. >=20 > Why not? Is this a generally accepted practice not to use pfsync because o= f > this? How much traffic is too much? The firewalls should average about 5,0= 00 > - 10,000 states on any given day, afaik. >=20 We had to disable pfsync here because it actually hogged way too many resour= ces. We're talking 100k+ states here with ~5k http requests per sec. > Im more worried about failover than I am about states being kept, but it > would be nice to utilize pfsync if it wouldn't be too risky. You will be fine, 5-10k states isn't much. Now I have absolutely no idea what kind of hardware you have, but this reall= y isn't much. We let go of pfsync only a few weeks ago and mostly as a precautionary measu= re with over 60k states at any given time.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B65A291-893E-4B5D-BE2F-E4A72A85C733>