Connection pools, carp and pfsync

[Dylan Smith <dylan_(_at_)_iompost_(_dot_)_co_(_dot_)_im>]

All,

I have an OpenBSD system that looks after two separate ADSL connections in a 
connection pool. The ADSL connections are from separate providers with 
separate /29 netblocks assigned. (Real load balancing over two lines is not 
possible on cost grounds, the cost for multiple leased lines being orders of 
magnitude higher than ADSL here).
The set up works very well - there is a script running on the OpenBSD system 
that watches the state of each link, and automatically reconfigures the 
connection pool should one link die.

But I still have a single point of failure - the OpenBSD system. Should it 
die, bye bye internet link even though we've got two of them.

So pfsync and CARP. Does anyone have any experience with this running a 
connection pool? I suspect it will work fine when everything's going well 
(both links are up), but the problems may arise when my script discovers a 
link down and re-runs pfctl to stop us from routing traffic over the dead 
link. It wouldn't be hard to write a script so that when one machine sees a 
dead link it tells the other to also drop the dead link - however, there will 
be a period (however small) when the pf on one system is different to the 
other.

Is this a job for pfsync and CARP, or am I better off just building the second 
machine as a hot-swap which can be immediately plugged in should the running 
one fail?