PfSense locks up when using virtual IPs with NAT
-
This is more of a PSA regarding something that has been bothering us since pfSense version 2.3.x at least.
Description of issue:
pfSense randomly locks up and stops working. Our first occurrence of this was in February this year.Configuration Description:
-
Public IP range routed to the WAN(or CARP IP) of the pfsense device
-
Virtual IP configured for NAT with one of the following options: Proxy ARP or "Other subnet"
-
NAT rule configured to use the above IP
-
This happens in HA mode as well. First the primary unit freezes and shortly after, then backup unit starts freezing.
-
There is nothing allowed incoming on the WAN side. LAN side is allow all. There is a floating rule to block access to management ports from LAN side ports.
Observations:
-
Traffic levels don't seem to matter. We have experienced this with traffic levels between 100Mbps and 2000Mbps.
-
Absolutely no logs or crash reports are generated of the event.
-
Remote console / Directly connected screen is un-responsive
-
Happens with multiple hardware devices. We've tried 2 different Supermicro modules(same/similar as Netgate devices and 1 Dell Server)
-
Bought commercial support for one of the affected locations. Netgate suggeted we switch to "Other subnet" for NAT "Overload". Still crashes.
-
IP Alias or NAT-ing on the WAN address does not suffer the same issues. Seems to only happen when using a NAT "Pool".
-
I've not tried using a "Host alias" as a NAT overload network
All the servers involved have passed a 24 hour Memtest64.
-