Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bridge and Translation Address causes pfSense to freezz

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    27 Posts 2 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyberfinn
      last edited by

      Hey

      I maybe think i have found a bug i both 1.2.3 and in the newest build: pfSense-2.0-BETA4-20100919-0059 (amd64).

      I have installed a pfSense 2.0beta4 and added following interfaces:

      WAN - IP: xxx.xxx.xxx.3 - Gateway: xxx.xxx.xxx.1
      LAN - IP: 10.0.0.2
      DMZ - Bridged with WAN in bridge0

      Then I have added some CARP IP's for the interfaecs: WAN = xxx.xxx.xxx.2 and LAN = 10.0.0.1 (Because I want to run the setup in failover)

      Then I have created Advanced Outgoing Nat rules for LAN, where I have added the WAN CARP IP as the Translation Address for the LAN NAT rule.

      When Iโ€™m then downloading some data from the internet (WAN), from a computer inside the LAN, the pfSense box stops to answer (aften 30-60 sec), also the console stops and the only thing I can do, is a reboot of the server.
      If I remove the bridge between WAN and DMZ, OR the Translation Address from the NAT rule, it works perfect.

      I have created another post long time ago, when I found the problem in the 1.2.3 version, but now I have tested with 2.0 and have the same problem. http://forum.pfsense.org/index.php/topic,27118.0.html

      I hope anyone with 3 interfaces would test this, to comfirm. (I have tryed with two dirrerent servers, so i don't think it's an hardware error)

      /Jacob

      1 Reply Last reply Reply Quote 0
      • C
        cyberfinn
        last edited by

        Has anyone tryed?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Sounds like something I ran into last week. I wasn't able to do CARP with bridging in 1.2.x or 2.0 or it resulted in the machine seizing. Seems to be an OS bug of some kind, not sure there's much we can do, other than do not use CARP+bridging (which we've never recommendedโ€ฆ)

          It used to work on 1.2, but there were a lot of underlying OS changes to bridging since then.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            To expand on that, I changed the exact same setup to routing+carp, and it's been flawless for a week on the exact same hardware.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              cyberfinn
              last edited by

              I can get CARP+briding to work, but when I add the CARP IP to the Translation Address for the NAT outgoing rule, the system craches.

              If I can't use bridge+CARP, how should I then setup a high-availability firewall for our hosting setup. Do we have to NAT all IPs? Or do we have to buy some commercial software?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                I did full routing, no NAT, but I had a ton of IPs handy.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Really for what you're doing you also need four interfaces, you seem to be missing a sync interface for a proper high-availability setup. Doing the sync can work on LAN, but it is not ideal.

                  Also, to clarify, was your NAT translation from LAN -> WAN CARP, and it did not involve trying to apply NAT to traffic from the bridge?

                  Another problem with doing CARP+LAN+Bridge like that is you cannot get a route from the bridged items to the LAN. You cannot contact a CARP VIP on WAN from the Bridged segment (or you used to not be able to, I still don't think it works) so those items can't get a route back through.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    And one more thing to try: Does it still break if you assign bridge0 as WAN instead of what used to be your WAN interface? (then add the old WAN as another OPT and make sure the bridge interface is still bridging the right way)

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • C
                      cyberfinn
                      last edited by

                      Yes. The servers have 6 NIC's but to simplify the problem, I have disabled the pfSync, to check if it had anything to do with it.

                      Yes. The NAT translation was for the LAN IP's where I added the CARP WAN IP.
                      How can I check for that the system not are natting traffic from the bridge? (I have added an screenshot of my outgoing NAT configuration)

                      Its right, I can't contact the WAN CARP IP from within the bridged segment.

                      Should I try to assign the bridge0 to the WAN interface? And then add the old NIC til an extra OPT? WHwre should I then setup the IP. On the WAN og OPT interface?

                      Capture.PNG
                      Capture.PNG_thumb

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        IP would be setup on the new WAN (which would really be bridge0) the old WAN (physical interface) would merely be assigned and enabled with an IP type of none as a stub so it can be used in the bridge GUI.

                        Only work on WAN (bridge0) once you assign it that way.

                        The NAT rules look OK, as long as none of those IPs match items in the DMZ.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • C
                          cyberfinn
                          last edited by

                          I will try that, an then return with a result.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            OK. I also started a ticket with some info from when I hit it last week, if you can provide any other input/observations over what I have in there already, I can add them.

                            http://redmine.pfsense.org/issues/910

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • C
                              cyberfinn
                              last edited by

                              Could you maybe explain how we should setup it up, if we are going with the routing mode.

                              What are the pro/cons of that choise?

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                You'd just move items in the DMZ to a separate subnet from those in WAN.

                                If you have a large enough WAN subnet and control of how it hits your network, you could split what you have into two smaller subnets and use some in the DMZ also.

                                There isn't anything fancy about that kind of setup, it's a standard CARP+DMZ setup. Each unit would need an IP in the new subnet, plus one shared CARP VIP to act as the gateway for the DMZ items.

                                Routing it is much cleaner, you won't have to worry about bridging or not being able to reach LAN, and failover is known to work flawlessly in that scenario.

                                Alternately, you could try two pairs of routers. A CARP HA setup for LAN, and a separate CARP HA setup that bridges that doesn't involve NAT (if that does turn out to be the problem).

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cyberfinn
                                  last edited by

                                  We have a C-class provide from our co-location company.

                                  The IP xxx.xxx.xxx.1 is the gateway provided from the co-location company.

                                  We need to route rest of IP's to the DMZ. Are there an how-to, where it explains how to setup this in a HA enviroment.

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    Not sure if there is a how-to, some of that is covered in the book.

                                    If many of your things will be in the DMZ, you might split that up into two /25's and have your ISP adjust their side, and route the higher IPs to your WAN CARP VIP, so you can use them internally.

                                    The subnetting could get a bit trickier if you need more than that, and might involve some other changes on the ISP side as well.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      cyberfinn
                                      last edited by

                                      I have following in my network:
                                      One /24 subnet
                                      One /26 subnet
                                      One /29 subnet

                                      Can i then use the /24 subnet for the DMZ and ie. the /29 subnet for the WAN? Without having the ISP to do anything?

                                      1 Reply Last reply Reply Quote 0
                                      • jimpJ
                                        jimp Rebel Alliance Developer Netgate
                                        last edited by

                                        That should work, if your Master/Back/WAN CARP VIPs are in the /29, and the /24 is completely on the DMZ (Master, Backup, and Shared CARP for DMZ)

                                        It should work fine

                                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          cyberfinn
                                          last edited by

                                          And it would be a better solution, instead of a bridge+CARP configuration.

                                          Are there any downsides of using the routing setup combined with CARP?

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            cyberfinn
                                            last edited by

                                            For at routing setup I do the following:

                                            Subnets: xxx.xxx.183.168/29 and xxx.xxx.214.0/24

                                            pfSense - Master:
                                            WAN: xxx.xxx.183.171
                                            DMZ: xxx.xxx.214.3

                                            pfSense - Backup:
                                            WAN: xxx.xxx.183.172
                                            DMZ: xxx.xxx.214.4

                                            CARP IPS:
                                            WAN: xxx.xxx.183.170
                                            DMZ: xxx.xxx.214.2

                                            WAN are using xxx.xxx.183.169 as Gateway (Provide by ISP)
                                            Hosts on the DMZ network are using xxx.xxx.214.3 as gateway (The CARP IP for DMZ)

                                            Is that a working enviroment?

                                            What about the IP: xxx.xxx.214.1 that are provide from our ISP as Gateway for the xxx.xxx.214.0/24 subnet?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.