Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsync strange behavior

    HA/CARP/VIPs
    3
    4
    2586
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Pedro Serotto last edited by

      Dear all,
      I'm in trouble with pfsync.

      First of all, let me describe my environment. I have a couple of soekris net6501 on which I have installed 2.0.1-RELEASE (i386). Both machines are connected to a dell PowerConnect 2824, with a vlan for wan interfaces and a vlan for lan interfaces. The two pfsync NICs are directly connect through a cross over cable. The rules are quite simple. About ten inbound nat rules, eight load balancer's pools and eight carp's virtual ip. Nothing else.

      I try to test the failover capability. So I add a carp virtual interface on wan side and another one on lan. I have a nat rule that redirect all traffic on port 11111 of the wan virtual ip to the same port on a small pc inside lan. Obviously the small pc has an ip address in the same subnet of LAN interface and use a LAN virtual ip as a default gw.

      On the wan side I try to download a large file from the wan virtual ip, during the download, I unplug the master firewall's wan interface. After a while download resume correctly but, if I wait more time to let it finish, very often my connection stalls.

      I try to configure pfsync synchronize peer ip in different way, add on the both side the other pfsync's ip address or only on one side or leave that field empty, but the result is always the same.

      The only thing that I notice in system.log and look strange is that after a 10 seconds, on the unplugged master firewall, appears the statement: "check_reload_status: Reloading filter" and in slave firewall, in filter.log, I find a lot of dropped connection the small pc to my public ip.

      That's all, could you kindly give me some suggestion, to fix this situation ?

      Many, many tnx

      Pedro

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        In the CARP settings on both units, make sure:

        1. pfsync enable checkbox is checked
        2. the correct pfsync interface is set
        3. enter the sync interface IP of the other unit

        Under Status > CARP, make sure both show master/slave properly.
        The pfsync nodes should look similar (nearly, but perhaps not completely identical) if state sync is working. Also the RRD graph for states should show about the same (but not identical) count of states.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • P
          Pedro Serotto last edited by

          Hi,
          many many tnx for your suggestion.

          I found this:

          http://redmine.pfsense.org/issues/1493

          and activate 'States' under System -> Advanced -> Miscellaneous -> Gateway Monitoring, I fix this situation.

          BR

          Pedro

          1 Reply Last reply Reply Quote 0
          • D
            dhatz last edited by

            But shouldn't pfSense kill states on a certain gateway when it goes down?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post