Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unexpected Traffic Duplication Issue in pfSense CARP Setup

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    6
    455
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Igor Moura
      last edited by

      Hello,

      I'm currently encountering what appears to be an issue with my pfSense setup. Specifically, when traffic is directed to pfSense01 (the master), I've noticed that the same traffic is also visible on pfSense02 (the backup).

      To provide some context, I have both pfSense instances running on separate VMware ESXi 8.0 hosts. I've ensured that promiscuous mode, MAC address changes, and forged transmits are turned OFF on the vSwitch. On the other hand, all three options are turned ON in the port group. Additionally, I have set the 'Net.ReversePathFwdCheckPromisc' option to '1' in VMware.

      Additionally, CARP itself seems to work just fine. The master and backup are labeled correctly, and when I manually disable CARP on the master, the backup pfSense turns into the master in no time. The configurations and rules are also replicated just fine.

      This behavior doesn't seem to align with what I would consider normal. While I've come across similar issues in previous discussions, I haven't found a definitive solution. I'm hopeful that someone in this community can offer some assistance.

      Please let me know if any additional information is required to better understand the situation. Your help and insights would be greatly appreciated.

      Thank you in advance.

      Best regards,

      planedropP 1 Reply Last reply Reply Quote 0
      • planedropP
        planedrop @Igor Moura
        last edited by

        @Igor-Moura I do think some additional info would be nice, what traffic are both nodes seeing?

        And I would also ask, just to double check, when you say traffic is directed to pfSense01, do you mean directly to it's IP in the HA setup or do you mean traffic to the VIP that is being used? i.e. if you have say a 10.0.0.0/24 network, one node should be 10.0.0.2, the other 10.0.0.3, and then a CARP VIP should be used for 10.0.0.1 between them.

        Additionally, how are you seeing this traffic hit both? Just via pcap?

        I'm not 100% sure what you are seeing is abnormal, if traffic is going to the VIP like it should be on a given subnet, then both nodes may get that traffic but only the Master acts on it. I may be misunderstanding a bit about this as I've never validated in my HA setups if the Secondary gets the traffic to the VIP but I imagine that could be expected behavior. I'll try some pcaps myself on one of my HA setups when I have time to see what I'm seeing.

        I 1 Reply Last reply Reply Quote 0
        • I
          Igor Moura @planedrop
          last edited by

          Thank you for your response, @planedrop.

          The traffic issue I've encountered on both pfSenses is related to the WAN. I have a client that can access the internet without any problems. However, this traffic is being observed on both pfSense devices.

          In my understanding when a client accesses the internet using the CARP IP, only the master should handle this traffic, and the backup pfSense should only be listening.

          In response to your question, I've noticed this traffic on the Traffic Graph. As soon as I initiate, for example, a speed test on my LAN client, the WAN interface on the Traffic Graph shows a significant increase in activity. This exact behavior is also observed on the pfSense backup.

          I hope this explanation clarifies my issue.

          Once again, thank you for your time.

          planedropP 1 Reply Last reply Reply Quote 0
          • planedropP
            planedrop @Igor Moura
            last edited by

            @Igor-Moura Thanks this helps a lot! Something definitely seems wrong here, I just tested this on one of my HA environments and the Secondary sees basically no WAN traffic (there will always be a bit but it's less than 20Kb per second vs the Primary which has a ton of traffic), so that isn't normal as far as I can tell.

            I will do a bit more thinking to see if I can come up with why that might be happening.

            In the meantime can you give a bit more about your CARP setup? Just to be sure everything seems in line.

            I 1 Reply Last reply Reply Quote 0
            • I
              Igor Moura @planedrop
              last edited by

              "@planedrop, thank you once again for your response. I followed the official documentation on the Netgate website. Considering that I had the same environment running on Hyper-V, where I didn't experience this behavior, I believe the configuration itself is correct."

              planedropP 1 Reply Last reply Reply Quote 0
              • planedropP
                planedrop @Igor Moura
                last edited by

                @Igor-Moura Happy to help.

                I'm still not coming up with any reason this should be happening, quite odd if I'm being honest. It sounds like a configuration thing but I'm not sure what would actually cause that, if it were a bug though I would imagine my test or prod HA environments would be seeing it too.

                I'll keep thinking on this and come back if I have any other ideas.

                @stephenw10 any thoughts on this thread here? Nothing is immediately coming to mind that would cause traffic to end up on both nodes.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post