State tables seams not to be synced
-
Hey
I have two pfSense servers running with CARP and the failover works fine… But if I "kill" the master server, then it will take 3 - 4 secs before the slave takes over. If a user on the local net ie. are listening to af Netradio, the musik stops and restart buffering.
Is that normal?
When all is normal and i look at "State table size" at the statuspage, on master i says: 256/5000000 and on slave 5/5000000, is that right or do the system not sync the state table?
-
The CARP switch usually happens much faster than that.
What settings do you have on the CARP settings page for both the master and backup box?
And are you using CARP VIPs on both WAN and LAN?
-
The CARP switch usually happens much faster than that.
What settings do you have on the CARP settings page for both the master and backup box?
And are you using CARP VIPs on both WAN and LAN?
I have right now 4 interfaces + the pfsync interface. (Only WAN, OPT2 (DMZ), OPT3(DB-network) and OPT3(Management-net) have a CARP-IP)
If I look at the "CARP (failover)" statuspage, the status from Backup to Master switched right away, but is like the packet flow stops for 2 - 3 secs before, it works again.
If I ping at host on the internet and disconnect the master pfSense. Then one or two ping request times out, before I again receive an answer.
Is that right?
-
jimp: I found this on another post, is it right to do so?
QUOTE START
EDIT: Fixed it. On the slave machine, you have to enable "Synchronize Enabled" under CARP settings. This is quite unclear, because in the book it says "you should not configure synchronization from the backup to the master"..
QUOTE ENDFrom: http://forum.pfsense.org/index.php/topic,26487.0.html
-
Yeah we have a note into the book editor to have that added to the errata page. That's where I was headed with asking about the CARP settings on master/slave.
If that didn't fix it I was going to suggest double checking your outbound NAT settings to make sure you are applying outbound NAT to the CARP VIP on the WANs, which would be the next likely suspect if failover was "slow" but CARP switched fast.
-
I'm going to test it later today.
But is it right, if I have added an Outbound NAT rule, like this? (Please check the attachment)
-
That looks fine, so long as there isn't a more general rule above it. A screencap of the Outbound NAT overview screen (the whole screen) would be more telling.
-
Here you go.
By the way. Thank you for a perfect book. It is a big help on setting up pfSense.
-
The first rule will match anything from that subnet and NAT it without using a CARP VIP - you probably don't want that. Move it to the bottom, or change the rule to use a CARP VIP.
The second rule will NAT the DMZ to the WAN IP (not a VIP) of the box it's going out (same as above), not disable NAT. To disable NAT, just delete the rule.
-
We don't use the LAN interface. We have it only for a backup. That interface are not plugged in.
I have created a NAT rule for the DMZ, because it is bridged to the WAN interface. An then i have made this rule. (See the attachement) Should I delete it?
-
That might work, but it's better to just delete the rule. Without a matching rule, it wont get NAT.
The no-NAT box is really for making exceptions to other rules, not for disabling NAT on a given whole subnet.
-
How much do I have to config on the Slave, under CARP Settings?
Only check "Synchronize Enabled" or do I also have the fill-in the right pfSync interface and IP for the master?
-
This might clear it up, this is what should be on the book's errata page once the editor updates it:
In Section 20.4.4, there should be an additional paragraph above the
note at the end of the section. It should say:On the backup firewall, go to Firewall -> Virtual IPs, and click on the
CARP Settings tab. Check Synchronization Enabled, pick pfsync as the
Synchronize Interface, and for the pfsync sync peer IP, enter the IP
address for the primary system's pfsync interface, 172.16.1.2. Click
Save when finished. Do not set any other values on this page.The first sentence of the note at the end of the section should be
amended to read "You should not setup configuration synchronization from
the backup firewall to the master firewall" -
Thank you very much. I will test it all the day tomorrow, but I think i works now.
-
Hey Jimp
We have now moved the servers to our production enviroment, but onlt for test right now.
When the firewalls routes a heavy amount of data (In our production enviroment, we have 25Gbit internet connection, but only 1Gbit network adapter in the pfsense server). Testing the setup with af Gbit workstation on the locale network, and running speedtest.net the pfSense servers freeze. I have tested with having keyboard/monitor connected, and there it also freezes. The only thing I can do is to reboot the pfsense server and then i works agian, until I stresstest i again.
I can't find anything in the log, because it is cleared on every reboot.
I have found out, that I can stop it from frezing if I remove the CARP IP from the Translation address at the NAT rule for the locale subnet. It is setuped, like shown above.
I really hope you can help.
-
What kind of hardware is involved here?
Not sure if you'd be hitting a limit of what that can handle, or if it might be a network card driver bug or related issue.
As long as you're just testing, can you try a 2.0 snapshot instead?
-
But I don't think it is a hardware or driver bug, because it works just fine when it it uses the interface IP insted of the CARP IP.
Are there any way of showing an old log?
I can't use pfSense 2.0 because I need to use it in production within some days.
-
Should the limit of pfSense be 500-600Mbit/sek?
-
Testing with 2.0 would help narrow the problem down. It wasn't meant as a long-term solution (though if it works where 1.2.3 doesn't - it may have to be)
Even if your issue is with a CARP VIP, it could still be a driver issue. You could try a different type of network card (Intel, Broadcom, Realtek, etc) as a test also to see if the behavior changes.
Depending on the hardware, pfSense can handle more than that amount of traffic, though the exact amount also depends heavily on the number of packets per second (pps).
-
I haven't tryed with 2.0 yet. But im going to test it right away.
Maybe it is at problem with the driver. Im running pfSense 1.2.3 on af DELL R210 installed with an Intel
PRO/1000 MT Quad Port Server Adapter
I got the driver module if_igb.ko from another user of this forum, who had builded the driver on af FreeBSD. (He is now running with no problem)I have done this:
Edit /etc/inc/globals.inc - add igb to the list for vlans on line 79.
Edit /etc/inc/interfaces.inc - add igb to the list starting on line 1511.But are the maybe other places I should add something?
Thanks for your help.
