Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Broadcast storm

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    1
    2
    4.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Eugene
      last edited by

      Hello.
      two carped pfSense boxes, very simple:
          192.168.0.1/24 _________  38.x.x.1/25
              –----------|pfSense1|---------
              |          lan  ---------- wan      | C:38.x.x.3
      ------|C:192.168.0.3                        |-----------
              |                ________            |
                -----------|pfSense2|---------
          192.168.0.2/24 ---------  38.x.x.2/25

      Everything works perfectly. Problem appears when you have allow 'all rule' on LAN interface.
      By chance I connected laptop with 1.1.1.1/24 to LAN subnet and what I see - on WAN interface I immediately get storm of 1.1.1.1->1.1.1.255 udp src/dst port 137. I see these packets from both wan interfaces (MACs) to FF:FF:FF:FF:FF:FF.
      If I disconnect laptop storm does not stop. If I disconnect a cable from any firewall storm stops.

      The second scenario. Laptop is connected to LAN, one of WANs disconnected. Periodically I see packets 1.1.1.1->1.1.1.255:137 on connected WAN but no storm. As soon as I connect the second WAN I get storm with the first packet.

      No mess with ACTIVE/STANDBY states of carps. Tried HP and DELL severs, Intel and Broadcom NICs, pfSense-1.2 and 1.2.2 - the same results.
      Can anybody explain this to me please. I feel that I do not understand something very simple -(((
      Thanks.

      http://ru.doc.pfsense.org

      1 Reply Last reply Reply Quote 0
      • E
        Eugene
        last edited by

        Update.
        The problem appears only when you have load-balancer configured (in failover mode). So initially I was struck by this problem in configuration with two WAN interfaces. But it is not important to have the second one. Just configure laoad-balancer at WAN interface (with only 1 member) and create rule on LAN allow from all to all with gateway=load-balancer. As soon as you do it you will get two issues:

        1. broadast packets go easily from LAN to WAN
        2. if you have outgoing NAT for these broadcasts then everything is ok. You can see src=38.x.x.3 dst=192.168.0.255 at WAN interface. BUT if you do not have outgoing NAT for the packet (ip on connected to LAN device uses different subnet) then you end up with broadcast storm with packets src=a.b.c.x dst=a.b.c.255.

        I do not understand why it happens as there is nothing connected to wan interfaces - just cable connecting two firewalls -((( It seems as both WAN interfaces try to route these broadcast traffic.

        192.168.0.1/24 _________  38.x.x.1/25
                –----------|pfSense1|---------
                |          lan  ---------- wan      | C:38.x.x.3
        ------|C:192.168.0.3                        |
                |                ________            |
                  -----------|pfSense2|---------
            192.168.0.2/24 ---------  38.x.x.2/25

        If anybody interested I can send config.xml from these boxes but setup is pretty simple...

        http://ru.doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • First post
          Last post