After hours of thinking, reading manuals and googling I decided to
send a mail to this list.
We have two OpenBSD firewalls using CARP + PFSYNC to provide
redundance. The problem is that long downloads stall randomly. For
example, downloading a 700 MB ISO stalls at about 120 MB, although
this figure may vary. For pfsync we are using dedicated interfaces on
both firewalls. The harware and the configurations on both firewalls
are identical. So is the interfaces naming.
We also have checked that connections aren't kept when there's a CARP
failover, so we deduce that pfsync is not working properly with our
configuration.
This problem doesn't happen when we disable pfsync. Here are the rules
concerning pfsync on our firewalls:
------------
pfsync_if="rl1"
pass log-all quick on $pfsync_if proto pfsync keep state
pass log-all quick on { $ext_if $int_if } proto carp keep state
------------
Concerning the pass rule for pfsync we originally didn't write 'keep
state', as the man page says it has to be. Adding 'keep state' doesn't
make any difference, as the same problem appears.
This is the content of /etc/hostname.rl1 (know the netmask is too large):
inet 10.0.0.1 255.255.255.0 10.0.0.255
------------
And this is for /etc/hostname.pfsync0:
up syncpeer 10.0.0.2 syncdev rl1
One thing that could be unusual is that we are using no IP addresses
on the external interfaces facing Internet (all the public IPs we have
are on CARP interface carp0), and we use one of this address to make
NAT to allow LAN hosts to access Internet. Could this represent a
conflict with pfsync.
Any clue? Thanks in advance.
