> El 28/03/11 19:24, [email protected] escribió: >>> Sorry for double posting, as I just posted this question at: >>> >>> http://forum.pfsense.org/index.php/topic,35019.0.html >>> >>> but this is critical and urgent for me. Hope somebody can help me. >>> >>> I have two pfSense (2.0RC1 built on Sat Feb 26 18:07:23 EST 2011 ) >>> boxes in failover mode. The WAN IP address has been set as a Carp IP >>> address and everything works fine when you browse the internet. >>> >>> Until you try to do a download. >>> >>> When downloading a file, after a while, it stalls. On the LAN side, >>> with >>> a tcpdump I can see that the server on the internet just stopped >>> sending >>> packets. >>> >>> On the WAN side, with the capture I see that suddenly pfSense stops >>> passing data back to the LAN client and starts sending packets like the >>> following one to the internet server: >>> >>> 8:13:54.058314 IP 1.1.1.1> pub4.kernel.org: ICMP host 1.1.1.1 >>> unreachable, length 60 >>> >>> (1.1.1.1 is my WAN IP addres, which I edited for privacy reasons). This >>> example is when downloading a kernel source tarball from kernel.org. >>> >>> Everything points that, after a while (something running periodically?) >>> the state of the connection is lost and pfSense for some reason can't >>> recognize the CARP ip as a valid ip address. >>> >>> >>> Any help will be appreciated. >>> >> What does ifconfig show at this time? Can you tcpdump 224.0.0.0/4 net on >> WAN to see who is declaring itself as CARP-master and whether it is >> going >> well (no slave's packets)? >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> Commercial support available - https://portal.pfsense.org >> >> > > Just found that doing outbound NAT using the interface IP address > instead of the carp IP it works fine, the only drawback is that I have > to waste one public IP address per box plus a carp one for services... You have to 'waste' one public IP address per box is 'how it works', but you should be using CARP IP in your outbound NAT to make everything really redundant (to use CARP). > > > With the tcpdump you mentioned I'm getting just packets like this one: > > 22:44:56.122437 IP 1.1.1.2 VRRP.MCAST.NET: VRRPv2, Advertisement, vrid > 11, prio 0, authtype none, intvl 1s, length 36 > > where 1.1.1.2 is the real IP address for the WAN interface on the > primary box. It is normal.
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
