[pfSense Support] Re: Outgoing NAT failure

Mon, 28 Mar 2011 13:48:22 -0700 

El 28/03/11 19:24, [email protected] escribió:

Sorry for double posting, as I just posted this question at:

http://forum.pfsense.org/index.php/topic,35019.0.html

but this is critical and urgent for me. Hope somebody can help me.

I have two pfSense (2.0RC1 built on Sat Feb 26 18:07:23 EST 2011  )
boxes in failover mode. The WAN IP address has been set as a Carp IP
address and everything works fine when you browse the internet.

Until you try to do a download.

When downloading a file, after a while, it stalls. On the LAN side, with
a tcpdump I can see that the server on the internet just stopped sending
packets.

On the WAN side, with the capture I see that suddenly pfSense stops
passing data back to the LAN client and starts sending packets like the
following one to the internet server:

8:13:54.058314 IP 1.1.1.1>  pub4.kernel.org: ICMP host 1.1.1.1
unreachable, length 60

(1.1.1.1 is my WAN IP addres, which I edited for privacy reasons). This
example is when downloading a kernel source tarball from kernel.org.

Everything points that, after a while (something running periodically?)
the state of the connection is lost and pfSense for some reason can't
recognize the CARP ip as a valid ip address.


Any help will be appreciated.


What does ifconfig show at this time? Can you tcpdump 224.0.0.0/4 net on
WAN to see who is declaring itself as CARP-master and whether it is going
well (no slave's packets)?


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Commercial support available - https://portal.pfsense.org
Just found that doing outbound NAT using the interface IP address instead of the carp IP it works fine, the only drawback is that I have to waste one public IP address per box plus a carp one for services... 


With the tcpdump you mentioned I'm getting just packets like this one:
22:44:56.122437 IP 1.1.1.2 VRRP.MCAST.NET: VRRPv2, Advertisement, vrid 11, prio 0, authtype none, intvl 1s, length 36
where 1.1.1.2 is the real IP address for the WAN interface on the primary box. 


Thanks for your prompt response


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Commercial support available - https://portal.pfsense.org

Reply via email to