pfSense

Limiters are not applied when using HA, states are being synced with pfsync, and a CARP fail over occurs.

When Firewall A has a limiter applied (like on a WAN interface) and a CARP fail-over event occurs, bandwidth becomes unrestricted for existing download sessions on Firewall B until either CARP fails back to Firewall A or the NAT session state expires on Firewall B.

• Enable HA (pfsync)
• Enable CARP and setup as default gateway for a LAN interface
• Update NAT rules for HA and CARP (Manual NAT and modify gateway)
• Create WAN_IN and WAN_OUT Limiters with defaults and a small bandwidth limit
• Create a Floating Rules for In and Out and assign Limiters
  Test Scenario:
• Start a large download.
• Note download speed and observe traffic chart on primary firewall. Download follows expected limiter behavior.
• Goto Status, "CARP (failover)", and click "Enter Persistent CARP Maintenance Mode"
• Download speed becomes unlimited and immediately increases speed. Observe traffic chart on failover firewall.
• Simultaneously, without stopping first download, start another download from a different server. Note the download speed follows expected limiter behavior.
• Goto Status, "CARP (failover)" on Primary firewall and click "Leave Persistent CARP Maintenance Mode"
• The original download will throttle back down to the expected speed, whereas the second download will become unlimited.