Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pps reporting issue

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 463 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jms123
      last edited by

      We have two HA pair of firewalls -

      HA1 running 2.4.4-RELEASE-p3
      HA2 running 2.4.5-RELEASE-p1

      behind both sets of firewalls are multiple customers running VoIP primarily using g.711 as the codec. The firewalls are pretty much configured the same, the only difference being on HA1 there are over 100 CARP VIPs on the WAN interface.

      We have setup PRTG to monitor the WAN interface on the active firewall on both HA pairs.

      The issue we are seeing is in the number of pps reported by the firewalls on the WAN interface.

      On HA2 the number of reported pps matches what PRTG sees and if you do a calculation based on 200 byte packets (G.711) x pps you get pretty close to the actual bandwidth in use.

      On HA1 however the pps reported by the firewall is much higher than that reported by PRTG eg. PRTG is saying 130,000 combined (in/out) at the moment whereas the firewalls are reporting approx 950,000 combined (in/out). If I do the same calculation to work out the bandwidth the PRTG figure used comes pretty close to the actual bandwidth in use whereas the pfSense number is way out in terms of bandwidth used eg.

      PRTG numbers equate to approx 200 Mbps which is what PRTG reports (and the firewall also reports the traffic amount accurately).

      The firewall numbers (pps) equate to approx 1.4 Gbps which is way too high.

      Can anyone shed any light on what we are seeing and if there is any other way of viewing the stats etc. At the moment I am inclined to think HA1 is just not reporting the pps accurately at all but am open to any ideas etc.

      Thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Do the packet counts look correct in the output of netstat -i?

        You should really be using IPAliases on top of one (or a few) CARP VIP.
        https://docs.netgate.com/pfsense/en/latest/highavailability/reduce-heartbeat-traffic.html

        Steve

        J 1 Reply Last reply Reply Quote 0
        • J
          jms123 @stephenw10
          last edited by jms123

          Hi Steve

          Thanks again for responding.

          I'll check the counts tomorrow when I see the peak and correlate it with what I see in PRTG and come back.

          In terms of the number of CARPs I totally agree and I wouldn't set it up like this. The second set of firewalls (HA2) has just the WAN interface CARP VIP and then I use other VIPs and route subnets to the CARP VIP as I find this by far the most flexible in terms of what I can do with subnet allocations.

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.