Bug #1514

Limiters not syncing

Added by Slaygon Censor about 9 years ago. Updated 9 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


Added some traffic shaping on one of our pf's, made sure Firewall->Virtual IPs->CARP Settings had "Synchronize traffic shaper" enabled, but still no dice.

Associated revisions

Revision 37a7a75b (diff)
Added by Scott Ullrich over 12 years ago

multiple vlans + spoofmac result in unexpected behaviour

Ticket #1514

I have an acceptable workaround, so the problem is not urgent, but before i fiogured out the workaround, is was severely impacting performance (3 interfaces not operating). I am a network specialist and I am available to assist wherever possible. If the issue si considered seriousenough for a fix, I can assist in more detailed pinpointing using tcpdumps on test-platforms.

If a interface is using vlan tagging for virtual interfaces and also the untagged interface is using MAC address spoofing, communication fails on the tagged vlans.

On interface rl1 is untagged the WAN connection. This requires a spoofed MAC address, eg using <spoofmac>00:03:6b:f7:3b:3f</spoofmac>. On interface rl1 is also a vlan/tagged interface, eg vlan0 using rl1 and vlan tag 5. The tagged interface vlan0 expects to use the original MAC address of the interface rl0. But the issue is that interface rl0 is only processing incoming packets with destination mac address spoof_mac_rl1.

Workarounds (no code change required)
acceptable configure the <spoofmac>00:03:6b:f7:3b:3f</spoofmac> on all vlan interfaces connected to interface rl1
funny start a tcpdump on the vlan interface. This will put the interface in promiscuous mode and it will process all packets. Now the packets destined for the original MAC address (and active on the vlan interface)
bypass Do not use tagged interfaces on a interface with spoofmac

It is very confusing that when a vlan is created, the GUI a refernece shows to the physical/original MAC address, even when the MAC addres of the untagged interface is

Revision 2f6532d5 (diff)
Added by Ermal Luçi about 9 years ago

Fixes #1514. Differentiate in the carp settings between layer7, limiter and queues so layer7 and limiters do not rely on queues being active.


#1 Updated by Ermal Luçi about 9 years ago

Which part of the traffic shaper are you talking about?
Layer7, limiters or queues?

#2 Updated by Slaygon Censor about 9 years ago

Ah, sorry.
What we see here are the limiter rules not replicating.

#3 Updated by Chris Buechler about 9 years ago

  • Subject changed from Traffic Shaper rules not syncing to Limiters not syncing
  • Category changed from CARP to 62

#4 Updated by Ermal Luçi about 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#5 Updated by Ermal Luçi almost 9 years ago

  • Status changed from Feedback to Resolved

Since no complain received i am marking this as solved.

#6 Updated by Jim Pingle 9 months ago

  • Category changed from 62 to XMLRPC

Also available in: Atom PDF