Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense locks up when using virtual IPs with NAT

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 382 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xciter327
      last edited by

      This is more of a PSA regarding something that has been bothering us since pfSense version 2.3.x at least.

      Description of issue:
      pfSense randomly locks up and stops working. Our first occurrence of this was in February this year.

      Configuration Description:

      • Public IP range routed to the WAN(or CARP IP) of the pfsense device

      • Virtual IP configured for NAT with one of the following options: Proxy ARP or "Other subnet"

      • NAT rule configured to use the above IP

      • This happens in HA mode as well. First the primary unit freezes and shortly after, then backup unit starts freezing.

      • There is nothing allowed incoming on the WAN side. LAN side is allow all. There is a floating rule to block access to management ports from LAN side ports.

      Observations:

      • Traffic levels don't seem to matter. We have experienced this with traffic levels between 100Mbps and 2000Mbps.

      • Absolutely no logs or crash reports are generated of the event.

      • Remote console / Directly connected screen is un-responsive

      • Happens with multiple hardware devices. We've tried 2 different Supermicro modules(same/similar as Netgate devices and 1 Dell Server)

      • Bought commercial support for one of the affected locations. Netgate suggeted we switch to "Other subnet" for NAT "Overload". Still crashes.

      • IP Alias or NAT-ing on the WAN address does not suffer the same issues. Seems to only happen when using a NAT "Pool".

      • I've not tried using a "Host alias" as a NAT overload network

      All the servers involved have passed a 24 hour Memtest64.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.