Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense locks up when using virtual IPs with NAT

    NAT
    1
    1
    216
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xciter327 last edited by

      This is more of a PSA regarding something that has been bothering us since pfSense version 2.3.x at least.

      Description of issue:
      pfSense randomly locks up and stops working. Our first occurrence of this was in February this year.

      Configuration Description:

      • Public IP range routed to the WAN(or CARP IP) of the pfsense device

      • Virtual IP configured for NAT with one of the following options: Proxy ARP or "Other subnet"

      • NAT rule configured to use the above IP

      • This happens in HA mode as well. First the primary unit freezes and shortly after, then backup unit starts freezing.

      • There is nothing allowed incoming on the WAN side. LAN side is allow all. There is a floating rule to block access to management ports from LAN side ports.

      Observations:

      • Traffic levels don't seem to matter. We have experienced this with traffic levels between 100Mbps and 2000Mbps.

      • Absolutely no logs or crash reports are generated of the event.

      • Remote console / Directly connected screen is un-responsive

      • Happens with multiple hardware devices. We've tried 2 different Supermicro modules(same/similar as Netgate devices and 1 Dell Server)

      • Bought commercial support for one of the affected locations. Netgate suggeted we switch to "Other subnet" for NAT "Overload". Still crashes.

      • IP Alias or NAT-ing on the WAN address does not suffer the same issues. Seems to only happen when using a NAT "Pool".

      • I've not tried using a "Host alias" as a NAT overload network

      All the servers involved have passed a 24 hour Memtest64.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy