Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PFSync between two pfsense over a vlan tagged interface

    HA/CARP/VIPs
    2
    4
    4648
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bateau last edited by

      Hi,

      I posted a similar question in the general section. Anyway I'll repost here getting straight to the point.

      We have a classic CARP failover configuration with two pfsense firewalls with CARP virtual IPs, NAT, outgoing load balancing and so on.
      The only particularity is the synchronization interface which is a VLAN tagged interface over the physical LAN on every firewall.

      Could this lead to problems with heavy traffic and with a high state count? (sometimes we are having slowdowns when the state count reaches 7000-8000 and the only solution is to reboot the primary firewall.)
      Would it be better to have a pfsync physical interface?

      thanks,
      –
      bateu

      1 Reply Last reply Reply Quote 0
      • E
        Eugene last edited by

        Dedicated interface for pfsync is always better but setup described by you is possible. I am not sure whether 8000 is high state count, probably it depends on hardware but I do not believe it can lead to reboot as the only solution.

        http://ru.doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • B
          bateau last edited by

          @Eugene:

          Dedicated interface for pfsync is always better but setup described by you is possible. I am not sure whether 8000 is high state count, probably it depends on hardware but I do not believe it can lead to reboot as the only solution.

          Investigating a little more I found that we have to reboot when pfsense has to catch up with very high DNS traffic.
          In such scenario our nameservers become unresponsive and clients get stuck with dns queries bringing the state count higher.
          Don't know if the high dns traffic is the cause or the effect, anyway CPU and memory aren't so much affected and after a reboot everything turns ok and state count starts to get lower. Hardware nic is ok.
          Maybe I'll investigate a little more, waiting for the next "flood".

          Bateu

          1 Reply Last reply Reply Quote 0
          • E
            Eugene last edited by

            sorry, but I can't imagine 'high DNS traffic' which can bring pfSense down unless you prepare and carry on some attack. -)))

            In such scenario our nameservers become unresponsive and clients get stuck with dns queries bringing the state count higher.

            State count higher? usually local computers use some local dns server which does not bring any load on fpSense and local name server(s) usually use one-two-three (ok - several) external dns but again it can not increase states count very high because for every dns-query you use the same external name server(s).
            There is some inconsistency in your statement. I think yes, you should investigate further.

            http://ru.doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • First post
              Last post