Recommendations - large firewall sandwich deployment
-
stevemitchell: sounds like pfsync is not syncing the states. might want to double check on the backup node that you see the state size increasing to match close to the primary. In terms of backup nodes, no, they will not process traffic in backup mode.
I will check that - I had to take things out of the mix for now until I can figure out how I can maintain the source/internal address on the WAN side…
-
Use advanced outbound nat.
Also might want to use static port depending on your apps in use internally.
-
Also might want to use static port depending on your apps in use internally.
I did switch to the advanced outbound NAT and things seem to be showing up source address-wise correctly.
Why would I want to use static ports? Are you thinking of apps that don't like to be translated or routed?
-
By default PF scrambles the source port so if your applications are expecting the traffic on a specific source port it might confuse them.
-
A gotcha. Any way to disable that? I saw various options that sounded like they might do that…
-
Advanced outbound nat, edit interface entry, click use static port.
-
I am on vacation now and will be slow to respond. Hopefully the book can help you in the meantime.