4. PFSync between two pfsense over a vlan tagged interface

PFSync between two pfsense over a vlan tagged interface

  • B

    Hi,

    I posted a similar question in the general section. Anyway I'll repost here getting straight to the point.

    We have a classic CARP failover configuration with two pfsense firewalls with CARP virtual IPs, NAT, outgoing load balancing and so on.
    The only particularity is the synchronization interface which is a VLAN tagged interface over the physical LAN on every firewall.

    Could this lead to problems with heavy traffic and with a high state count? (sometimes we are having slowdowns when the state count reaches 7000-8000 and the only solution is to reboot the primary firewall.)
    Would it be better to have a pfsync physical interface?

    thanks,

    bateu

    0
  • E

    Dedicated interface for pfsync is always better but setup described by you is possible. I am not sure whether 8000 is high state count, probably it depends on hardware but I do not believe it can lead to reboot as the only solution.

    0
  • B

    @Eugene:

    Dedicated interface for pfsync is always better but setup described by you is possible. I am not sure whether 8000 is high state count, probably it depends on hardware but I do not believe it can lead to reboot as the only solution.

    Investigating a little more I found that we have to reboot when pfsense has to catch up with very high DNS traffic.
    In such scenario our nameservers become unresponsive and clients get stuck with dns queries bringing the state count higher.
    Don't know if the high dns traffic is the cause or the effect, anyway CPU and memory aren't so much affected and after a reboot everything turns ok and state count starts to get lower. Hardware nic is ok.
    Maybe I'll investigate a little more, waiting for the next "flood".

    Bateu

    0
  • E

    sorry, but I can't imagine 'high DNS traffic' which can bring pfSense down unless you prepare and carry on some attack. -)))

    In such scenario our nameservers become unresponsive and clients get stuck with dns queries bringing the state count higher.

    State count higher? usually local computers use some local dns server which does not bring any load on fpSense and local name server(s) usually use one-two-three (ok - several) external dns but again it can not increase states count very high because for every dns-query you use the same external name server(s).
    There is some inconsistency in your statement. I think yes, you should investigate further.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy