Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Answered] Secondary node is very slow to update package repository, install packages, etc.

    HA/CARP/VIPs
    3
    4
    379
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • cmcdonaldC
      cmcdonald Netgate Developer
      last edited by cmcdonald

      I have a new HA cluster of two nodes.

      The secondary node is very slow in the Web GUI...things like updating the package repository prior to installing a package takes many many minutes.

      Additionally, if I ping out (say to 8.8.8.8) from the LAN interface on the secondary, I get 100% packet loss. However, if I ping out from the LAN interface on the primary, I get 0% packet loss.

      So I believe the slowness has to do with a NAT issue on the secondary.

      If I manually change the outbound NAT entry for my LAN to use the WAN Interface Address instead of the WAN VIP on the secondary, everything works fine.

      Need help fast? https://www.netgate.com/support

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        @vbman213 said in Secondary node is very slow to update package repository, install packages, etc.:

        If I manually change the outbound NAT entry for my LAN to use the WAN Interface Address instead of the WAN VIP on the secondary, everything works fine.

        Did you only change it for your LAN or for all NAT entries to do it via WAN VIP instead of IP? How was your NAT setup with VIP (screenshot)?

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 1
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Do not outbound NAT to the CARP VIP for traffic sourced from the firewall itself. Only set outbound NAT for the inside addresses that actually need NAT.

          A common mistake is setting outbound NAT for 127.0.0.0/8 and/or any sources to the CARP VIP.

          That won't work on the node that is BACKUP because that address does not exist on that node at that time.

          If I manually change the outbound NAT entry for my LAN to use the WAN Interface Address instead of the WAN VIP on the secondary, everything works fine.

          It should not matter for LAN sources, but for traffic sourced from the firewall itself.

          If this isn't making sense you'll need to post your outbound NAT rules.

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 1
          • cmcdonaldC
            cmcdonald Netgate Developer
            last edited by

            Thanks for the tips! This resolved the issue!

            Need help fast? https://www.netgate.com/support

            1 Reply Last reply Reply Quote 0
            • First post
              Last post