Netgate SG-1000 microFirewall

Author Topic: gateway tier priority backwards?  (Read 459 times)

0 Members and 1 Guest are viewing this topic.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: gateway tier priority backwards?
« Reply #15 on: January 03, 2018, 03:17:47 pm »
Start with a screen shot of the gateway group. If you don't have 6 gateways there you're not going to be utilizing 6 OpenVPN client instances.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline repomanz

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: gateway tier priority backwards?
« Reply #16 on: January 05, 2018, 02:16:33 pm »
** edit - didn't know you had requested screen shot.  screen grab for gateway group : https://imgur.com/a/I4Z0f

I did another test recently 2 days ago.

- All openvpn clients have assigned interfaces.  The only change to default interface is checking disallowing bogon networks.
- VPN A does not have a specific TLS key. 
- VPN A has 5 openvpn client sessions / interfaces
- VPN B does have a specific TLS key
- VPN B has 1 openvpn client session / interface

- All 6 are defined in the gateway group. 
- Within the gateway group WAN is set to never
- All 6 interfaces are set to tier 1

VPN A#1    1.06 MiB / 50 KiB
VPN A#2 1.27 MiB / 710 KiB   
VPN A#3 1.41 MiB / 888 KiB   
VPN A#4 1.65 MiB / 1.64 MiB   
VPN A#5 1.27 MiB / 709 KiB   
   
VPN B#1 2.52 GiB / 4.18 GiB

- I have 30 clients behind this firewall and the above information is for 2 days of collection
- VPN A interfaces only begin taking traffic when I specifically stop the openvpn client session of VPN B

Is there something unique about load balancing and a TLS key being used with the openvpn client, gateway group or some other dependency?
« Last Edit: January 05, 2018, 02:22:51 pm by repomanz »

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5455
  • Karma: +90/-3
  • No i will not fix your computer!
    • View Profile
Re: gateway tier priority backwards?
« Reply #17 on: January 05, 2018, 03:13:38 pm »
As Derelic already pointed out: The Loadbalancer balances connections, not traffic.

How do you know that your clients are actually creating new connections all the time?
Those 2.52/4.18 GiB you see on VPN B#1 could be from a single connection.
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline repomanz

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: gateway tier priority backwards?
« Reply #18 on: January 05, 2018, 03:22:19 pm »
As Derelic already pointed out: The Loadbalancer balances connections, not traffic.

How do you know that your clients are actually creating new connections all the time?
Those 2.52/4.18 GiB you see on VPN B#1 could be from a single connection.

I understand this, even before it was mentioned.  However it is evidence it's not loading properly or something I don't understand.   Do you think 30 clients over 2 days are going to only transfer kilobytes of traffic? That doesn't pass my smoke test.

***edit: i just dumped the active states on the firewall.  the VPN A interfaces 1 - 5 are not in the table with exception of these entries:

VPN A 3   icmp   xx.xx.xx.xx:7611 -> xx.xx.xx.xx:7611   0:00   20.866 K / 0   571 KiB / 0 B
VPN A 5   icmp   xx.xx.xx.xx:8466 -> xx.xx.xx.xx:8466   0:00   20.867 K / 0   571 KiB / 0 B
VPN A 4   tcp   xx.xx.xx.xx:63300 (xx.xx.xx.xx:63032) -> xx.xx.xx.xx:443   ESTABLISHED:ESTABLISHED   5.449 K / 5.46 K   231 KiB / 762 KiB
VPN A 1    icmp   xx.xx.xx.xx:7229 -> xx.xx.xx.xx:7229   0:00   20.866 K / 0   571 KiB / 0 B
VPN A 2   icmp   xx.xx.xx.xx:7271 -> xx.xx.xx.xx:7271   0:00   20.865 K / 0   571 KiB / 0 B
VPN A 4   icmp   xx.xx.xx.xx:8068 -> xx.xx.xx.xx:8068   0:00   20.866 K / 0   571 KiB / 0 B
« Last Edit: January 05, 2018, 03:39:20 pm by repomanz »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: gateway tier priority backwards?
« Reply #19 on: January 05, 2018, 04:18:55 pm »
That is just one connection. Not a connection from 30 clients.

That is the amount of traffic that has been transmitted over THAT connection since its creation.

Every TCP connection gets its own state.

Load balancing works fine, though it often doesn't match users' misunderstandings about how it should be behaving. See the other thread.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline repomanz

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: gateway tier priority backwards?
« Reply #20 on: January 05, 2018, 04:32:50 pm »
my state table had roughly 500+ states.  What you see above is exactly what was in that 500+ states.  What specifically should i take from the link you suggested?

I'm going to build up a load gen and slam my firewall with thousands of states and put a serious load on it and will come back to this thread with the results.  Maybe it's just a matter of small load on my firewall.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: gateway tier priority backwards?
« Reply #21 on: January 05, 2018, 04:37:26 pm »
That's exactly what those graphs represent. Trex generating approximately 350K states though 4- and 8- interface load balance configurations.

Works fine.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM