From owner-freebsd-pf@FreeBSD.ORG  Wed Jan 28 15:11:10 2015
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8F5ED176
 for <freebsd-pf@freebsd.org>; Wed, 28 Jan 2015 15:11:10 +0000 (UTC)
Received: from upn.univ-paris13.fr (upn.univ-paris13.fr [194.254.164.7])
 by mx1.freebsd.org (Postfix) with ESMTP id 54FE7FE2
 for <freebsd-pf@freebsd.org>; Wed, 28 Jan 2015 15:11:09 +0000 (UTC)
Received: from smtp.univ-paris13.fr (smtp.univ-paris13.fr [192.168.0.72])
 by upn.univ-paris13.fr (Mail Server) with ESMTP id 732342881D6
 for <freebsd-pf@freebsd.org>; Wed, 28 Jan 2015 16:01:54 +0100 (CET)
Received: from [81.194.43.41] (unknown [81.194.43.41])
 (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested) (Authenticated user : hidden)
 by smtp.univ-paris13.fr (Postfix) with ESMTPSA id 6A3C83EA0C8
 for <freebsd-pf@freebsd.org>; Wed, 28 Jan 2015 16:01:54 +0100 (CET)
Message-ID: <54C8F9DC.5060803@univ-paris13.fr>
Date: Wed, 28 Jan 2015 16:01:48 +0100
From: Nicolas Greneche <nicolas.greneche@univ-paris13.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Subject: Active/Active PF
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 15:11:10 -0000

Hi all,

I browse list archives to get information about active/active PF. I 
tried several keywords : active/active, load balancing ...

I have this setup :

|-----|                |-----|
|     |----- FW1 ------|     |
| SW1 |                | SW2 |
|     |----- FW2 ------|     |
|-----|                |-----|

There is an etherchannel between SW1 and SW2.

FW1 is bridged on the first physical link of the etherchannel. FW2 is on 
the second link.

With stateless rules, everything is OK. With stateful filtering it seems 
that pfsync is not fast enough to sync state table.

I tried to set maxupd to 1 to avoid pfsync update bufferization. I also 
enabled the defer mode on.

Do you have any idea ?

-- 
Nicolas Grenèche

Old blog : http://blog.etcshadow.fr
New blog : http://nsm.etcshadow.fr
Tel : 01 49 40 40 35
Fax : 01 48 22 81 50