High traffic on wan interface using CARP and Multi-WAN

  • I use pfsense 2.0.2 and have an issue what I can't solve. I found an old post in which the same behaviour is described.

    Unfortunately the proposed solution (block all protocolls on pfsync interface except pfsync to avoid a layer 2 loop) doesn't help.

    I use two pfsense with CARP (master = amd64 on a virtual environment with KVM / Backup = ALIX board nanobsd).

    On WAN side I use two ISP.
    WAN1(WAN): external address block 217.xxx.xxx.xxx / 28 (16 addresses) 20Mbit/20Mbit sync.
    WAN2(OPT10): one external address routed

    I have 8 LAN interfaces with separate subnets. On master I have 10 different interfaces while on ALIX board all uses VLAN except WAN1 (WAN).

    I have two routing groups (one balanced Tier 1 for WAN1, Tier 1 for WAN2 and one none balanced Tier 2 WAN1, Tier 1 WAN 2). These groups are used as gateway in fw rules.

    At the beginning after a reboot all works fine. Suddenly the traffic on WAN increases to 20Mbit in and out on master and slave. The CPU load increases to 80 - 100% (100% on interface wan). This traffic is limited to bandwith of our ISP. The traffic is visible on ISP's router statistic. That means it leaves our environment.

    I captured the packages. All traffic is on port 137 from IP to Traffice isn't showed in firewall log and it's not visible in traffic graphs detail list but in the graph and total.

    It only happens on WAN with external address block (never on WAN2).

    Trialed measurements:

    • Block port 137 on WAN interface
    • Block physical interface addresses (WAN1 xxx.99 / WAN2 xxx.100) but not virtual CARP address (xxx.98)
    • Block addresses on WAN
    • Block all on dedicated pfsync interface except pfysnc and tcp:443

    But all this measures don't block this traffic. I have no further ideas and i don't know what triggers to start this "loop". If I reboot backup pfsense it stops for a while.

    Who knows more about that.

  • Interesting. That is a reserved range that should have a don't route or forward on it. I can think of no reason why you would be blasting that traffic out of your WAN interface unless there is a serious misconfiguration somewhere. Please see http://www.rfc-editor.org/rfc/rfc3927.txt  for details.

  • Yes it's interesting. I know that this ip shouldn't be routed. I attached three files from screen. Interesting is packet capture full. As you can see the name of host is our domain controller. This has a valid ip address and it's in another interface (Opt3) but it isn't the controller always. In some packages the name is a printer and sometimes it's something unkown.

    The other phenomen is that I can't block these packages.

    If you are somebody else is interested in my config.xml I could post or mail it.

    ![RRD Traffic graph.JPG](/public/imported_attachments/1/RRD Traffic graph.JPG)
    ![RRD Traffic graph.JPG_thumb](/public/imported_attachments/1/RRD Traffic graph.JPG_thumb)

  • same thing is happening to my firewalls. can anybody help us resolve this issue??

  • I think I found my problem. Since I have fixed my wrong configuration it disappeard.

    I had two wrong configuration:

    I have two WAN (Multi-WAN) and I have 7 LAN (Vlan) networks.

    first error: in one of my internal not often used Vlan I configured the virtual IP address with wrong mask (32 instead of 24)

    second error: On my switch port the same Vlan wasn't open for this vlan tag. Therefore the connection between the firewalls for one Vlan wasn't open. Both firewalls showed the virtual IP address as master.

    I think the second error had initated the traffic between the firewalls. I don't know why the traffic was exchanged through the WAN network. After fixing both config errors I never had this behaviour anymore.

  • I reconfigured everything from scratch, I have 2 ISP, multi-wan setup, 15 networks in VLAN, I have allowed all VLAN in trunk, still, same thing is happening. I don't know what error is causing this traffic. I hope somebody out there can help.

  • Currently, my pfsense shows the same behaviour.
    My pfsense runs in a carp setup with 2 VMs. I have a sepearate nic connected to an access point for customers; all traffic on this interface is directly routed to WAN.
    Today, some customers were in our office having their laptops connected to this wlan.
    Now their gone, but the pfsense box keeps generating wan traffic with netbios registration requests carrying the name of the customers' domain and their notebooks.
    I have no idea how can stop pfsense from doing this, maybe somebody else has an idea …
    (currently, my pfsense boxes are producing these netbios requests from to at a rate of 20mbit/sec ...)
    I cannot see this traffic on any other nic; it seems to come from pfsense itself.



Log in to reply