2017-09-27 12:55 GMT+02:00 Jon Gerdes <[email protected]>: > > On Wed, 2017-09-27 at 00:12 +0200, dayer wrote: > > Hi everyone, > > > > > > I'm getting this behavior and I can't find the reason. I've test the > > same > > scenario with pfSense 2.3.4 and 2.4.0-RC and I've posted in the > > forums > > without reply[1]. > > I'm not sure if it's a configuration error or a bug, and I would > > prefer > > confirm with someone expert. > > > > Briefly, when there're established connections through a not default > > gateway (e.g. GW2 configured according to a firewall rule) and I > > change the > > master unit (e.g. disabling CARP in Pfsense1, master previously), > > these > > connections are broken. > > Pfsense2, now master unit, try to routes these traffic through GW1 > > (instead > > of GW2) and using the WAN2 HA IP for outbound NAT. That is not right. > > Although I if close and retry the connections (like a SSH client), > > the new > > connections are routed according to the rule, through GW2, like > > Pfsense1 > > has done when it was the master unit. > > > > I know pfSense can't filter traffic from the firewall itself, and > > it's like > > the established connections would be traffic from the firewall itself > > also > > in those states. > > > > Does anyone know this behavior? There is no solution? > > > > > > Regards, > > > > > > > > [1]: > > https://forum.pfsense.org/index.php?topic=136739.msg749477#msg749477 > > > If I had to guess: Are you using a CARP address for outbound NAT? If > not then the connections *will* break on failover.
Thanks for your reply, Jon :) Yes, I'm using CARP addresses from each WAN for outbound NAT: - WLAN1 CARP, for WLAN1 - WLAN2 CARP, for WLAN2 In addition, when the *new* master unit routes the established traffic, it continues doing the previous NAT according to the state synchronised from the previous master. So it continues doing outbound NAT with the WLAN2 CARP address, but trying to route through WLAN1. This proves that the new master unit has the synchronised states, but it try to route the established connections according to routing table and not to firewall rules. Regards, _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
