Load Balanced FW and site-to-site OpenVPN results in packet loss



  • I am networking two datacenters together.  Each datacenter has two pfSense 2.0 firewalls setup in LoadBalanced mode.  Each datacenter is hosting a OpenVPN server config, listening on a CARP address, and an OpenVPN Client that connects to the other datacenter (I need to have each internal network reach across to the other one).  Everything appears to be working, however I consistently get 16% packet loss pinging internal IPs.  While I'm pinging the internal IP, I have 0% packet loss pinging the CARP public address the other datacenter's OpenVPN is listening on so I know it is not the network.

    It appears to be related to the load balance setup.  When I look at the OpenVPN status on SiteA,FW1 I see both the client and the server up.  When I look at the OpenVPN status on SiteA,FW2, I see client UP, but the server has no status


    SITE A, FW01


    Peer to Peer Server Instance Statistics
    Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
    Internap to QTS UDP:1194 up Mon Jul 9 10:40:33 2012 10.0.8.1 XX.XX.9.66 23888499388 5081838664

    Client Instance Statistics
    Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
    QTS To Internap UDP up Tue Jul 17 17:08:37 2012 10.0.9.2 XX.XX.9.72 748 536


    SITE A, FW02


    Peer to Peer Server Instance Statistics
    Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
    Internap to QTS UDP:1194

    Client Instance Statistics
    Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
    QTS To Internap UDP up Tue Jul 17 17:09:31 2012 10.0.9.2 XX.XX.9.72 272 332


  • Rebel Alliance Developer Netgate

    You need to manually stop the OpenVPN clients on the unit in CARP backup state.

    In 2.0.2 and 2.1 we have coded it such that if an OpenVPN client is bound to a CARP VIP, it will be shut off when it's in backup state and then started again when it's in the master state.



  • That did the trick.  Any idea when 2.0.2 or 2.1 will be released?


  • Rebel Alliance Developer Netgate

    2.0.2 will be any day now, I would have done the final prep last week but I was out on vacation until yesterday. And now there was an ISC DHCPD vulnerability so I had to make a whole new batch of images and run more tests. (fun…)

    You can get 2.0.2 snapshots from here - http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_RELENG_2_0/updates/?C=M;O=D
    They should be safe in every way except the name says RC3... Unless I find a problem, it may be out next week.



  • Hi any news to the 2.0.2 release?

    We are really really like to see Working Openvpn with UDP and CARP without Disable Openvpn on the salve.
    Any chance to get a update url?

    regards

    btw pfsense is very nice and stable!


  • Rebel Alliance Developer Netgate

    @ReneG:

    Hi any news to the 2.0.2 release?

    We are really really like to see Working Openvpn with UDP and CARP without Disable Openvpn on the salve.
    Any chance to get a update url?

    regards

    btw pfsense is very nice and stable!

    There's a thread on that here - http://forum.pfsense.org/index.php/topic,52810.0.html


Locked