Re: pfsync on VLAN - supported ?

2019-11-14 Thread Stuart Henderson
On 2019-11-13, Chris Cappuccio  wrote:
> Rachel Roch [rr...@tutanota.de] wrote:
>> Hi,
>> 
>> Both the man page and FAQ (https://www.openbsd.org/faq/pf/carp.html) 
>>  talk about "physical interface" 
>> in relation to the syncdev parameter.
>> 
>> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan 
>> interface for pfsync ?
>> 
>
> It's as secure as your ethernet network is. There is no privacy or
> authentication with pfsync. I don't think that using a vlan is 
> considered a big problem these days. I'm absolutely amazed at the
> volume of data that pfsync generates. Since so many boxes come with extra
> ports, using a vlan may be more complicated than directly connecting
> the boxes together (unless you have more than two machines)
>
>

Use jumbos if you can.




Re: pfsync on VLAN - supported ?

2019-11-14 Thread Rachel Roch




14 Nov 2019, 11:21 by liste...@wernig.net:

> On 14.11.2019 11:30, Rachel Roch wrote:
>
 Does this mean Bad Things (TM) will happen if I try to use a dedicated 
 vlan interface for pfsync ?

> I have had pfsync running happily over a vlan interface for years, never
> a problem.
>
>> Regarding the extra port, in my case I'm using that for LACP (my switches 
>> support distributed LACP, so i can have two cables going into two switches)
>>
> Having the sync port physically redundant and connected to a switch is a
> very good idea, because a crossover cable will cause a carp demote
> whenever the other firewall goes down or is rebooted, afair.
>
> best /m
>

Regarding your last point, if your recollection is correct, then surely it is 
something the powers that be should consider adding to the FAQ and man pages 
forthwith ? It seems to me like a rather important thing to know.  ;-)

Thanks for your input, much appreciated.



Re: pfsync on VLAN - supported ?

2019-11-14 Thread Markus Wernig
On 14.11.2019 11:30, Rachel Roch wrote:
>>> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan 
>>> interface for pfsync ?
I have had pfsync running happily over a vlan interface for years, never
a problem.

> Regarding the extra port, in my case I'm using that for LACP (my switches 
> support distributed LACP, so i can have two cables going into two switches)
Having the sync port physically redundant and connected to a switch is a
very good idea, because a crossover cable will cause a carp demote
whenever the other firewall goes down or is rebooted, afair.

best /m



Re: pfsync on VLAN - supported ?

2019-11-14 Thread Rachel Roch




13 Nov 2019, 20:21 by ch...@nmedia.net:

> Rachel Roch [rr...@tutanota.de] wrote:
>
>> Hi,
>>
>> Both the man page and FAQ (https://www.openbsd.org/faq/pf/carp.html) 
>>  talk about "physical interface" 
>> in relation to the syncdev parameter.
>>
>> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan 
>> interface for pfsync ?
>>
>
> It's as secure as your ethernet network is. There is no privacy or
> authentication with pfsync. I don't think that using a vlan is 
> considered a big problem these days. I'm absolutely amazed at the
> volume of data that pfsync generates. Since so many boxes come with extra
> ports, using a vlan may be more complicated than directly connecting
> the boxes together (unless you have more than two machines)
>

Thanks Chris !

Regarding the extra port, in my case I'm using that for LACP (my switches 
support distributed LACP, so i can have two cables going into two switches)



Re: pfsync on VLAN - supported ?

2019-11-13 Thread Chris Cappuccio
Rachel Roch [rr...@tutanota.de] wrote:
> Hi,
> 
> Both the man page and FAQ (https://www.openbsd.org/faq/pf/carp.html) 
>  talk about "physical interface" in 
> relation to the syncdev parameter.
> 
> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan 
> interface for pfsync ?
> 

It's as secure as your ethernet network is. There is no privacy or
authentication with pfsync. I don't think that using a vlan is 
considered a big problem these days. I'm absolutely amazed at the
volume of data that pfsync generates. Since so many boxes come with extra
ports, using a vlan may be more complicated than directly connecting
the boxes together (unless you have more than two machines)



pfsync on VLAN - supported ?

2019-11-13 Thread Rachel Roch
Hi,

Both the man page and FAQ (https://www.openbsd.org/faq/pf/carp.html) 
 talk about "physical interface" in 
relation to the syncdev parameter.

Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan 
interface for pfsync ?

Thanks !

Rachel