https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162017-03-15T13:54:52ZpfSense bugtrackerpfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322092017-03-15T13:54:52ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Confirmed</i></li><li><strong>Target version</strong> set to <i>2.3.4</i></li><li><strong>Affected Architecture</strong> <i>All</i> added</li><li><strong>Affected Architecture</strong> deleted (<del><i>amd64</i></del>)</li></ul><p>Also affects 2.4.x.</p>
<p>That is not the usual way to operate relayd, however. Normally you would not need to stop/start it. Or you could stop it there, but start it again by edit/save/apply on one of the load balancer tabs, which does not negatively impact pf tables.</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322112017-03-15T14:03:17ZJim Pingle
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li></ul><p>To me, I have a fix pushed.</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322132017-03-15T14:10:06ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Perform a filter reload after starting relayd so it does not leave the firewall without pf tables..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/803ca43a02863d2086f4affd8c1048c598475bf9">803ca43a02863d2086f4affd8c1048c598475bf9</a>.</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322512017-03-16T13:54:17ZJulien Petit
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>That is not the usual way to operate relayd, however. Normally you would not need to stop/start it.</p>
</blockquote>
<p>In our case, we setup the load balancer first before our web servers are completly configured. If we do not stop the load balancer, monitoring generates errors on our webservers. It's not a big problem when you know that you shouldn't press the start button. But it's kind of confusing to have the start button and not being able to use it without breaking the firewall configuration.</p>
<blockquote>
<p>Or you could stop it there, but start it again by edit/save/apply on one of the load balancer tabs, which does not negatively impact pf tables.</p>
</blockquote>
<p>From the user's perspective (without technical knowledge of relayd or pfsense), it's difficult to guess the edit/save/apply buttons would have a different impact as the start button.</p>
<blockquote>
<p>To me, I have a fix pushed.</p>
</blockquote>
<p>I've tried to apply your fix in /etc/inc/service-utils.inc via the "Edit File" tab but it seems its still not working on 2.3.3-RELEASE-p1. Is there something else to patch ?</p>
<p>Thanks anyway :)</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322522017-03-16T14:10:51ZJim Pingle
<ul></ul><p>Nothing else should be required but the changes made in the patch.</p>
<p>I can reproduce the problem without that fix applied, and with the fix applied I can't reproduce the problem.</p>
<p>If you still have a problem, consider using the HAProxy package instead of relayd as it is a much more full-featured proxy solution that is not so closely tied up with pf that it has these sorts of issues.</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322532017-03-16T15:29:53ZJulien Petit
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>Nothing else should be required but the changes made in the patch.</p>
<p>I can reproduce the problem without that fix applied, and with the fix applied I can't reproduce the problem.</p>
</blockquote>
<p>Ok, it seems to work but is appears to be dependent on a cron job because tables are not restored straight away.<br />Chrome gives you the feeling all is well probably because it seems the state still allows him to be connected to pfsense but firefox breaks straight away until the tables are restored. I discovered this checking the table state in console after each actions with <code>pfctl -t Trusted -T show</code>. After relayd is started, the table content disappears but after some times, it get restored. Can you confirm this ?</p>
<blockquote>
<p>If you still have a problem, consider using the HAProxy package instead of relayd as it is a much more full-featured proxy solution that is not so closely tied up with pf that it has these sorts of issues.</p>
</blockquote>
<p>I know HAProxy is a very good choice too but i like the simplicity of relayd and the fact that is is embedded in pfsense :)</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322542017-03-16T15:44:51ZJim Pingle
<ul></ul><p>I couldn't reproduce that but it gave me another idea of where to look for problems. I'll have another fix pushed here in a few moments, give that one a try. It should work even without the first fix, but I'd feel safer with both around.</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322552017-03-16T15:48:49ZJulien Petit
<ul></ul><p>Note that with your patch, tables are not deleted like before. Only our alias table "Trusted" is emptied. Without your patch, even system tables (sshlockout...) were deleted (not only emptied). That might be why you can't reproduce.</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322622017-03-17T06:59:26ZJim Pingle
<ul></ul><p>OK, try the later change here on the ticket now ( <a class="changeset" title="Don't process empty anchors as it could lead to flushing more than intended when cleaning up afte..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/31b1f1e14d9fceed8bece4679275965ece495fd8">31b1f1e1</a> )</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322642017-03-17T07:35:29ZJulien Petit
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>OK, try the later change here on the ticket now ( <a class="changeset" title="Don't process empty anchors as it could lead to flushing more than intended when cleaning up afte..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/31b1f1e14d9fceed8bece4679275965ece495fd8">31b1f1e1</a> )</p>
</blockquote>
<p>This is all good now ! Thanks :)</p> pfSense - Bug #7396: Stopping and then starting again the load balancer clears out system tables (Bogons, sshlockout, aliases...)https://redmine.pfsense.org/issues/7396?journal_id=322652017-03-17T07:40:53ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Great, thanks for testing!</p>