Project

General

Profile

Actions

Bug #8963

open

2.4.4 Limiters don't work after CARP fail-over

Added by James Cornett over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Traffic Shaper (Limiters)
Target version:
-
Start date:
09/27/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:

Description

Limiters are not applied when using HA, states are being synced with pfsync, and a CARP fail over occurs.

When Firewall A has a limiter applied (like on a WAN interface) and a CARP fail-over event occurs, bandwidth becomes unrestricted for existing download sessions on Firewall B until either CARP fails back to Firewall A or the NAT session state expires on Firewall B.

To replicate:
Setup pfSense:
  • Enable HA (pfsync)
  • Enable CARP and setup as default gateway for a LAN interface
  • Update NAT rules for HA and CARP (Manual NAT and modify gateway)
  • Create WAN_IN and WAN_OUT Limiters with defaults and a small bandwidth limit
  • Create a Floating Rules for In and Out and assign Limiters
    Test Scenario:
  • Start a large download.
  • Note download speed and observe traffic chart on primary firewall. Download follows expected limiter behavior.
  • Goto Status, "CARP (failover)", and click "Enter Persistent CARP Maintenance Mode"
  • Download speed becomes unlimited and immediately increases speed. Observe traffic chart on failover firewall.
  • Simultaneously, without stopping first download, start another download from a different server. Note the download speed follows expected limiter behavior.
  • Goto Status, "CARP (failover)" on Primary firewall and click "Leave Persistent CARP Maintenance Mode"
  • The original download will throttle back down to the expected speed, whereas the second download will become unlimited.
Actions

Also available in: Atom PDF