Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High traffic on wan interface using CARP and Multi-WAN

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Enrica_CH
      last edited by

      I use pfsense 2.0.2 and have an issue what I can't solve. I found an old post in which the same behaviour is described.
      http://forum.pfsense.org/index.php/topic,25717.0.html

      Unfortunately the proposed solution (block all protocolls on pfsync interface except pfsync to avoid a layer 2 loop) doesn't help.

      Environment:
      I use two pfsense with CARP (master = amd64 on a virtual environment with KVM / Backup = ALIX board nanobsd).

      On WAN side I use two ISP.
      WAN1(WAN): external address block 217.xxx.xxx.xxx / 28 (16 addresses) 20Mbit/20Mbit sync.
      WAN2(OPT10): one external address routed

      I have 8 LAN interfaces with separate subnets. On master I have 10 different interfaces while on ALIX board all uses VLAN except WAN1 (WAN).

      I have two routing groups (one balanced Tier 1 for WAN1, Tier 1 for WAN2 and one none balanced Tier 2 WAN1, Tier 1 WAN 2). These groups are used as gateway in fw rules.

      Issue:
      At the beginning after a reboot all works fine. Suddenly the traffic on WAN increases to 20Mbit in and out on master and slave. The CPU load increases to 80 - 100% (100% on interface wan). This traffic is limited to bandwith of our ISP. The traffic is visible on ISP's router statistic. That means it leaves our environment.

      I captured the packages. All traffic is on port 137 from IP 169.254.37.240 to 169.254.255.255. Traffice isn't showed in firewall log and it's not visible in traffic graphs detail list but in the graph and total.

      It only happens on WAN with external address block (never on WAN2).

      Trialed measurements:

      • Block port 137 on WAN interface
      • Block physical interface addresses (WAN1 xxx.99 / WAN2 xxx.100) but not virtual CARP address (xxx.98)
      • Block addresses 169.254.0.0/16 on WAN
      • Block all on dedicated pfsync interface except pfysnc and tcp:443

      But all this measures don't block this traffic. I have no further ideas and i don't know what triggers to start this "loop". If I reboot backup pfsense it stops for a while.

      Who knows more about that.

      1 Reply Last reply Reply Quote 0
      • G
        Gloom
        last edited by

        Interesting. That is a reserved range that should have a don't route or forward on it. I can think of no reason why you would be blasting that traffic out of your WAN interface unless there is a serious misconfiguration somewhere. Please see http://www.rfc-editor.org/rfc/rfc3927.txt  for details.

        Never underestimate the power of human stupidity

        1 Reply Last reply Reply Quote 0
        • E
          Enrica_CH
          last edited by

          Yes it's interesting. I know that this ip shouldn't be routed. I attached three files from screen. Interesting is packet capture full. As you can see the name of host is our domain controller. This has a valid ip address and it's in another interface (Opt3) but it isn't the controller always. In some packages the name is a printer and sometimes it's something unkown.

          The other phenomen is that I can't block these packages.

          If you are somebody else is interested in my config.xml I could post or mail it.

          ![RRD Traffic graph.JPG](/public/imported_attachments/1/RRD Traffic graph.JPG)
          ![RRD Traffic graph.JPG_thumb](/public/imported_attachments/1/RRD Traffic graph.JPG_thumb)
          Packet_capt_normal.JPG
          Packet_capt_normal.JPG_thumb
          Packet_capt_full.JPG
          Packet_capt_full.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • M
            mamen0330
            last edited by

            same thing is happening to my firewalls. can anybody help us resolve this issue??

            1 Reply Last reply Reply Quote 0
            • E
              Enrica_CH
              last edited by

              I think I found my problem. Since I have fixed my wrong configuration it disappeard.

              I had two wrong configuration:

              I have two WAN (Multi-WAN) and I have 7 LAN (Vlan) networks.

              first error: in one of my internal not often used Vlan I configured the virtual IP address with wrong mask (32 instead of 24)

              second error: On my switch port the same Vlan wasn't open for this vlan tag. Therefore the connection between the firewalls for one Vlan wasn't open. Both firewalls showed the virtual IP address as master.

              I think the second error had initated the traffic between the firewalls. I don't know why the traffic was exchanged through the WAN network. After fixing both config errors I never had this behaviour anymore.

              1 Reply Last reply Reply Quote 0
              • M
                mamen0330
                last edited by

                I reconfigured everything from scratch, I have 2 ISP, multi-wan setup, 15 networks in VLAN, I have allowed all VLAN in trunk, still, same thing is happening. I don't know what error is causing this traffic. I hope somebody out there can help.

                1 Reply Last reply Reply Quote 0
                • D
                  dabassman
                  last edited by

                  Currently, my pfsense shows the same behaviour.
                  My pfsense runs in a carp setup with 2 VMs. I have a sepearate nic connected to an access point for customers; all traffic on this interface is directly routed to WAN.
                  Today, some customers were in our office having their laptops connected to this wlan.
                  Now their gone, but the pfsense box keeps generating wan traffic with netbios registration requests carrying the name of the customers' domain and their notebooks.
                  I have no idea how can stop pfsense from doing this, maybe somebody else has an idea …
                  (currently, my pfsense boxes are producing these netbios requests from 169.254.214.64 to 169.254.255.255 at a rate of 20mbit/sec ...)
                  I cannot see this traffic on any other nic; it seems to come from pfsense itself.

                  Regards

                  D.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.