I'm trying to do something somewhat similar to Loïc Blot was attempting,
as described in
http://openbsd.7691.n7.nabble.com/PF-sync-doesn-t-not-work-very-well-tc230786.html#none
but have the additional complication that I *do* need to do NAT for one
subnet on the BGP routers, and I am using a mix of both CARP and
dual-sessions depending on the BGP peer.
I'm pushing up to ~1gbps through this pair of routers, each is more than
capable of that much traffic on its own (in fact, they are right now).
So far, I'm not doing NAT on these routers, and my pf rulesets on both
consist of "pass". I am not using pfsync, as there's no point (no
rules). Current topology is shown at
http://r1.customhosting.ca/BGP-plus-NAT.png.
I now need to do NAT for one subnet and set up some actual pf rules.
Should I configure pfsync? Should I just use sloppy state?
(Admittedly, I know very little about running pf in this situation.
Cluebats welcome.)
--
-Adam Thompson
[email protected]
