Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Apr 2021 14:37:03 +0300
From:      Plamen Mladenov <f0x0ff@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   pfsync - Active/Active + defer on
Message-ID:  <CAKxafXE2rQVeJs%2Bugu9-qG0ubt6ndFfs5jAwqPa5mmdwepHHsQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hello,

I'm trying to setup an active-active PF cluster (consists of 2 freebsd
hosts:FW1 and FW2)  using pfsync and dynamic routing protocol (CARP is not
used at this deployment)


All works as expected when IN/OUT traffic for a single session is
symmetrical (uses either FW1 or FW2). The problem I'm facing is when the
traffic is asymmetrical
For example:

(1) Client ----------TCP SYN ---------> FW1
-------------------------------------> Server
                                                             |
                                                        pfsync
                                                             |
(2) Client <--------------------------------- FW2 <------- TCP
SYN+ACK------- Server

Client is sending TCP segment with SYN flag set which is received and
allowed by FW1 and send to the Server.
Server is replying with TCP segment with SYC and ACK flag sets (just as per
TCP 3 way handshake), but this TCP segment is routed to FW2.  At that time
FW2 haven't received the SYNC-SENT session (from FW1) yet and therefore it
denies that TCP segment. Few miliseconds after that FW2 gets the session
from FW1, but the SYN+ACK is already dropped and a TCP re-transmission
occurs.

I've found that this behavior can be fixed with pfsync "defer" option,
however based on my lab and prod tests - this option is not changing
anything. As per my understandings, the initial packet should be delayed
until session is replicated between both firewalls, but that's not the case.

My other concern is that although the "defer" option is there (I can
successfully turn it on/off and see it with ifconfig pfsync0) I can't find
a word about it in man 4 pfsync on FreeBSD (unlike in OpenBSD
documentation) which it makes me think - there is a reason why it's not in
the man page.

Can someone confirm - is pfsync "defer" option working on FreeBSD?

Regard,
Plamen Mladenov

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKxafXE2rQVeJs%2Bugu9-qG0ubt6ndFfs5jAwqPa5mmdwepHHsQ>