Carp + Multiwan + load balancer
-
The first problem here is that broadcast/multicast packets go from LAN(s) to WAN. Then broadcast storm happens.
To reproduce the problem:- Fresh install of pfSense-1.2.3-RC2 from 24 June 2009 snapshot
- LAN remains with 192.168.1.1/24, WAN=2.2.2.1/24 GW 2.2.2.254
- Enable AON
- Create failover loadbalancer on WAN with ICMP to 2.2.2.254 (doesn't matter actually)
- Modify default rule for LAN to 'allow all from any to any with Loadbalancer as gateway'
Then connect to LAN anything that have IP not belonging to 192.168.1.0/24 and broadcasting.
In the pictures below I connected MS Windows with 192.168.2.2
Left:LAN Right:WAN
-
I am not seeing quite the same as you.
You have a LAN broadcast appear on your WAN
I have another "LAN"s broadcast get repeated on the same interface that it arrived.So, I conject that "internal" addresses (RFC<whatever is="">) get repeated inappropriately.
My skills only go as far as iptables on Linux I'm afraid but I think I need to learn pf pretty damn quick! To get around my snag I am VMming my pfSense system and using 802.1Q + trunking. Besides I can't wedge enough NICs into the box. I have five ADSL lines now! (Our office is pretty rural and even ADSL Max is bit slow)
Looking at our results and to confirm or reject my conjecture we need you to generate a broadcast on your WAN from an internal address and I need to generate a LAN based broadcast and see if it crosses over to a WAN (or three). Once I've moved my production pfSense router over to the virtual side, I'll have its old standby to play with.
Cheers
Jon</whatever> -
You are seeing consequences I am seeing a cause, this is the only difference. ;-)
If multicast/broadcast packet goes from lan to wan and there is CARP then you get storm.
What is important (and interesting) is when I connect my laptop broadcasting with the same IP to WAN net segment then there is no storm. The same packet (at layer 3) coming from LAN (remember - no NAT) does cause a storm.