PfSense locks up when using virtual IPs with NAT



  • This is more of a PSA regarding something that has been bothering us since pfSense version 2.3.x at least.

    Description of issue:
    pfSense randomly locks up and stops working. Our first occurrence of this was in February this year.

    Configuration Description:

    • Public IP range routed to the WAN(or CARP IP) of the pfsense device

    • Virtual IP configured for NAT with one of the following options: Proxy ARP or "Other subnet"

    • NAT rule configured to use the above IP

    • This happens in HA mode as well. First the primary unit freezes and shortly after, then backup unit starts freezing.

    • There is nothing allowed incoming on the WAN side. LAN side is allow all. There is a floating rule to block access to management ports from LAN side ports.

    Observations:

    • Traffic levels don't seem to matter. We have experienced this with traffic levels between 100Mbps and 2000Mbps.

    • Absolutely no logs or crash reports are generated of the event.

    • Remote console / Directly connected screen is un-responsive

    • Happens with multiple hardware devices. We've tried 2 different Supermicro modules(same/similar as Netgate devices and 1 Dell Server)

    • Bought commercial support for one of the affected locations. Netgate suggeted we switch to "Other subnet" for NAT "Overload". Still crashes.

    • IP Alias or NAT-ing on the WAN address does not suffer the same issues. Seems to only happen when using a NAT "Pool".

    • I've not tried using a "Host alias" as a NAT overload network

    All the servers involved have passed a 24 hour Memtest64.