2.4.4 Limiters don't work after CARP fail-over
Limiters are not applied when using HA, states are being synced with pfsync, and a CARP fail over occurs.
When Firewall A has a limiter applied (like on a WAN interface) and a CARP fail-over event occurs, bandwidth becomes unrestricted for existing download sessions on Firewall B until either CARP fails back to Firewall A or the NAT session state expires on Firewall B.To replicate:
- Enable HA (pfsync)
- Enable CARP and setup as default gateway for a LAN interface
- Update NAT rules for HA and CARP (Manual NAT and modify gateway)
- Create WAN_IN and WAN_OUT Limiters with defaults and a small bandwidth limit
- Create a Floating Rules for In and Out and assign Limiters
- Start a large download.
- Note download speed and observe traffic chart on primary firewall. Download follows expected limiter behavior.
- Goto Status, "CARP (failover)", and click "Enter Persistent CARP Maintenance Mode"
- Download speed becomes unlimited and immediately increases speed. Observe traffic chart on failover firewall.
- Simultaneously, without stopping first download, start another download from a different server. Note the download speed follows expected limiter behavior.
- Goto Status, "CARP (failover)" on Primary firewall and click "Leave Persistent CARP Maintenance Mode"
- The original download will throttle back down to the expected speed, whereas the second download will become unlimited.
Updated by James Cornett about 3 years ago
For those of us on WAN connections who pay for bandwidth consumed over our limit, bursting to my WAN circuit's 300Mbps speed from my contracted 40Mbps for more than 12 hours a month after one or more firewall fail-overs would result in an overage of 260Mbps, billed at $10/Mbps, or a $2600 USD bill.