Am 2012-06-12 20:24, schrieb Simon Perreault:
On 2012-06-12 14:08, Bernd wrote:
I've got two OpenBSD 5.1-stable/amd64 boxes employed which do all
the
routing for our AS (OpenBGPd and OpenOSPFd). I see asymmetric
traffic (I
thought it to be that way), which itself doesn't really create
problems.
However, I see problems with ICMP. pf seems to drop all but the
first
response from any of the hosts within our network (seen from the
Internet).
Any idea how to deal with this? As soon as I turn off pf, everything
runs smoothly.
Without having the details of your setup, the big principle is: pf is
stateful (by default). Statefulness doesn't play well with asymmetric
routing. I'm sure if you investigate a little bit more you'll
discover
it's not limited to ICMP.
In the end the solution will be one of: remove statefulness, avoid
asymmetric routing, or share state with pfsync.
I thought of removing statefulness or using pfsync. I run quite a few
load balancer setups that use, of course, pfsync and it runs like a
charm. However, removing statefulness seems the more appropriate
solution to me. Removing asymmetry isn't really an option, I guess, as
there's more infrastructure than just my two core routers.
My two cents: try to avoid statefulness on core routers. Move
stateful elements to the edge, where routing is symmetric.
What might be the easiest solution to have pf not care about states any
longer -- using 'keep state sloppy'? Or disabling statefulness entirely
(how?)?
Simon
Thanks,
Bernd
