Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    State tables seams not to be synced

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    25 Posts 2 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyberfinn
      last edited by

      Hey

      I have two pfSense servers running with CARP and the failover works fine… But if I "kill" the master server, then it will take 3 - 4 secs before the slave takes over. If a user on the local net ie. are listening to af Netradio, the musik stops and restart buffering.

      Is that normal?

      When all is normal and i look at "State table size" at the statuspage, on master i says: 256/5000000 and on slave 5/5000000, is that right or do the system not sync the state table?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The CARP switch usually happens much faster than that.

        What settings do you have on the CARP settings page for both the master and backup box?

        And are you using CARP VIPs on both WAN and LAN?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          cyberfinn
          last edited by

          @jimp:

          The CARP switch usually happens much faster than that.

          What settings do you have on the CARP settings page for both the master and backup box?

          And are you using CARP VIPs on both WAN and LAN?

          I have right now 4 interfaces + the pfsync interface. (Only WAN, OPT2 (DMZ), OPT3(DB-network) and OPT3(Management-net) have a CARP-IP)

          If I look at the "CARP (failover)" statuspage, the status from Backup to Master switched right away, but is like the packet flow stops for 2 - 3 secs before, it works again.

          If I ping at host on the internet and disconnect the master pfSense. Then one or two ping request times out, before I again receive an answer.

          Is that right?

          1 Reply Last reply Reply Quote 0
          • C
            cyberfinn
            last edited by

            jimp: I found this on another post, is it right to do so?

            QUOTE START
              EDIT: Fixed it. On the slave machine, you have to enable "Synchronize Enabled" under CARP settings. This is quite unclear, because in the book it says "you should not configure synchronization from the backup to the master"..
            QUOTE END

            From: http://forum.pfsense.org/index.php/topic,26487.0.html

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Yeah we have a note into the book editor to have that added to the errata page. That's where I was headed with asking about the CARP settings on master/slave.

              If that didn't fix it I was going to suggest double checking your outbound NAT settings to make sure you are applying outbound NAT to the CARP VIP on the WANs, which would be the next likely suspect if failover was "slow" but CARP switched fast.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • C
                cyberfinn
                last edited by

                I'm going to test it later today.

                But is it right, if I have added an Outbound NAT rule, like this? (Please check the attachment)

                Untitled-2.jpg
                Untitled-2.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  That looks fine, so long as there isn't a more general rule above it. A screencap of the Outbound NAT overview screen (the whole screen) would be more telling.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • C
                    cyberfinn
                    last edited by

                    Here you go.

                    By the way. Thank you for a perfect book. It is a big help on setting up pfSense.

                    Capture.PNG
                    Capture.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      The first rule will match anything from that subnet and NAT it without using a CARP VIP - you probably don't want that. Move it to the bottom, or change the rule to use a CARP VIP.

                      The second rule will NAT the DMZ to the WAN IP (not a VIP) of the box it's going out (same as above), not disable NAT. To disable NAT, just delete the rule.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • C
                        cyberfinn
                        last edited by

                        We don't use the LAN interface. We have it only for a backup. That interface are not plugged in.

                        I have created a NAT rule for the DMZ, because it is bridged to the WAN interface. An then i have made this rule. (See the attachement) Should I delete it?

                        Capture.PNG
                        Capture.PNG_thumb

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          That might work, but it's better to just delete the rule. Without a matching rule, it wont get NAT.

                          The no-NAT box is really for making exceptions to other rules, not for disabling NAT on a given whole subnet.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • C
                            cyberfinn
                            last edited by

                            How much do I have to config on the Slave, under CARP Settings?

                            Only check "Synchronize Enabled" or do I also have the fill-in the right pfSync interface and IP for the master?

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              This might clear it up, this is what should be on the book's errata page once the editor updates it:

                              In Section 20.4.4, there should be an additional paragraph above the
                              note at the end of the section. It should say:

                              On the backup firewall, go to Firewall -> Virtual IPs, and click on the
                              CARP Settings tab. Check Synchronization Enabled, pick pfsync as the
                              Synchronize Interface, and for the pfsync sync peer IP, enter the IP
                              address for the primary system's pfsync interface, 172.16.1.2. Click
                              Save when finished. Do not set any other values on this page.

                              The first sentence of the note at the end of the section should be
                              amended to read "You should not setup configuration synchronization from
                              the backup firewall to the master firewall"

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • C
                                cyberfinn
                                last edited by

                                Thank you very much. I will test it all the day tomorrow, but I think i works now.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cyberfinn
                                  last edited by

                                  Hey Jimp

                                  We have now moved the servers to our production enviroment, but onlt for test right now.

                                  When the firewalls routes a heavy amount of data (In our production enviroment, we have 25Gbit internet connection, but only 1Gbit network adapter in the pfsense server). Testing the setup with af Gbit workstation on the locale network, and running speedtest.net the pfSense servers freeze. I have tested with having keyboard/monitor connected, and there it also freezes. The only thing I can do is to reboot the pfsense server and then i works agian, until I stresstest i again.

                                  I can't find anything in the log, because it is cleared on every reboot.

                                  I have found out, that I can stop it from frezing if I remove the CARP IP from the Translation address at the NAT rule for the locale subnet. It is setuped, like shown above.

                                  I really hope you can help.

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    What kind of hardware is involved here?

                                    Not sure if you'd be hitting a limit of what that can handle, or if it might be a network card driver bug or related issue.

                                    As long as you're just testing, can you try a 2.0 snapshot instead?

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      cyberfinn
                                      last edited by

                                      But I don't think it is a hardware or driver bug, because it works just fine when it it uses the interface IP insted of the CARP IP.

                                      Are there any way of showing an old log?

                                      I can't use pfSense 2.0 because I need to use it in production within some days.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        cyberfinn
                                        last edited by

                                        Should the limit of pfSense be 500-600Mbit/sek?

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          Testing with 2.0 would help narrow the problem down. It wasn't meant as a long-term solution (though if it works where 1.2.3 doesn't - it may have to be)

                                          Even if your issue is with a CARP VIP, it could still be a driver issue. You could try a different type of network card (Intel, Broadcom, Realtek, etc) as a test also to see if the behavior changes.

                                          Depending on the hardware, pfSense can handle more than that amount of traffic, though the exact amount also depends heavily on the number of packets per second (pps).

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            cyberfinn
                                            last edited by

                                            I haven't tryed with 2.0 yet. But im going to test it right away.

                                            Maybe it is at problem with the driver. Im running pfSense 1.2.3 on af DELL R210 installed with an Intel® PRO/1000 MT Quad Port Server Adapter
                                            I got the driver module if_igb.ko from another user of this forum, who had builded the driver on af FreeBSD. (He is now running with no problem)

                                            I have done this:
                                            Edit /etc/inc/globals.inc - add igb to the list for vlans on line 79.
                                            Edit /etc/inc/interfaces.inc - add igb to the list starting on line 1511.

                                            But are the maybe other places I should add something?

                                            Thanks for your help.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.