Project

General

Profile

Bug #8963

2.4.4 Limiters don't work after CARP fail-over

Added by James Cornett 9 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Limiters
Target version:
-
Start date:
09/27/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4
Affected Architecture:

Description

Limiters are not applied when using HA, states are being synced with pfsync, and a CARP fail over occurs.

When Firewall A has a limiter applied (like on a WAN interface) and a CARP fail-over event occurs, bandwidth becomes unrestricted for existing download sessions on Firewall B until either CARP fails back to Firewall A or the NAT session state expires on Firewall B.

To replicate:
Setup pfSense:
  • Enable HA (pfsync)
  • Enable CARP and setup as default gateway for a LAN interface
  • Update NAT rules for HA and CARP (Manual NAT and modify gateway)
  • Create WAN_IN and WAN_OUT Limiters with defaults and a small bandwidth limit
  • Create a Floating Rules for In and Out and assign Limiters
    Test Scenario:
  • Start a large download.
  • Note download speed and observe traffic chart on primary firewall. Download follows expected limiter behavior.
  • Goto Status, "CARP (failover)", and click "Enter Persistent CARP Maintenance Mode"
  • Download speed becomes unlimited and immediately increases speed. Observe traffic chart on failover firewall.
  • Simultaneously, without stopping first download, start another download from a different server. Note the download speed follows expected limiter behavior.
  • Goto Status, "CARP (failover)" on Primary firewall and click "Leave Persistent CARP Maintenance Mode"
  • The original download will throttle back down to the expected speed, whereas the second download will become unlimited.

History

#1 Updated by James Cornett 9 months ago

For those of us on WAN connections who pay for bandwidth consumed over our limit, bursting to my WAN circuit's 300Mbps speed from my contracted 40Mbps for more than 12 hours a month after one or more firewall fail-overs would result in an overage of 260Mbps, billed at $10/Mbps, or a $2600 USD bill.

#2 Updated by Johannes Goldynia 6 months ago

Hello,

I bought a Netgate HA bundle and I found the same bug #8963 together with release 2.4.4-p1.
Clear, because this bug is still unassigned to any release.

So what to do to get this assigned?

Also available in: Atom PDF