Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    4 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Olman
      last edited by

      NAT problem:

      We have a large, about 40 server that acting as a web browser over NAT connecting to client's web sites and harvesting statistics, each server may connect to up to 100 web pages simultaneously. Total numbers of states close to 100.000. All those stuff working over pfsense 1.2.3. NAT setting is default.

      For improvement I have a new network where some portion of such servers transferred.
      And  2.1-BETA1  Built On: Thu Mar 28 00:48:46 EDT 2013

      NAT: any -> IP EXT network/30 , Pool: Round robin with sticky Address,
      Have a problem of intermittent deny connect from the servers to a web site. Opening a browser and the website spinning without a page show up. connection on the server in FIN_state. Restarting firewall appears to fix it, up to certain time. Then it appears again.

      Change NAT: any -> IP EXT network/30 , Pool: Source Hash
      Total disaster, everything almost die, sporadically establish connection but overall no pass trough NAT.

      Now I switch to AUTO, it looks like simple network to single WAN address.
      Will tell a result tomorrow.

      NAT pool feature definitely broken.
      (a new test network generated about 15000 states, states changes 80-150 cps, approx 30 Mbit traffic)

      Oh a firewall in conservative mode … (old 123 and new 2.1), both has 16GB memory

      Update 1 :  The WAN NAT network defined as "Proxy ARP" , due to fail-over configuration. Is his may cause a problem ?

      1 Reply Last reply Reply Quote 0
      • G
        gerdesj
        last edited by

        You seem to have a very specific use case and it needs tuning accordingly.  Is this pfSense used for anything else apart from the client web site testing?

        You could look at reducing the amount of time that a state exists - it is something like 5 minutes by default:

        System: Advanced: Firewall and NAT -> Firewall Optimization Options.  You could set this to aggressive.  There are several other options on that page to change the way the states work.

        Cheers
        Jon

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          You can't do proxy ARP with failover, if you have that setup on both systems you're creating an IP conflict, which would explain all your problems when NATing to those additional IPs. They'll have to be CARP IPs.

          1 Reply Last reply Reply Quote 0
          • O
            Olman
            last edited by

            "You can't do proxy ARP with failover" - Thank you !!!!
            That exactly was a problem ….. I just realize of constant proxy on BOTH servers, ( initially assuming such configuration is dynamically on/off on the second node )

            So the right steps:
            1. create 3 CARP IP addresses
            2. list this 3 IP addresses as 1 Alias
            3. NAT any -> Alias pool from p.2
            4. set pool option

            Can someone advise a pool option (3 options) : round-robin sticky ; random sticky; hash ? (behind approx 40 crazy servers with 2-5K connections to outdide in a time frame)

            Thank you all.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.