2 OPNsenses same WAN network Broadcast Flood

Started by aeschma, May 05, 2024, 12:24:16 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
June 15, 2024, 10:39:43 AM #30
I think it's working now! It's up and running for 8h now.

I switched the STP protocol in the unifi switches from RSTP to STP. Read somewhere that STP is the OPNSense/FreeBSD default (Perhaps the problem is by Vodafone, RSTP + "Local" CARP worked without an issue). In my switch settings was STP deactivated for the WAN port profile .... this is still the case. In tne General Settings on unifi I switched RSTP to STP.

Here are some screenshots of my current setup for people who use OPNSense with unifi switches.

The sad: Now my Multi-WAN connection drops randomly. Internal routing works without an issue but WAN routing drops for a few minutes. But I think this is an other topic ...
June 17, 2024, 10:32:09 AM #31
Update:

Unfortunately the problem is still there. However, it now occurs much less frequently (approx. once a day) and no longer immediately after plugging in the 2nd firewall.
November 22, 2024, 06:06:03 PM #32
Did you ever solve this?
November 23, 2024, 11:16:45 AM #33
Sadly, no :(
July 14, 2025, 03:35:19 PM #34
For anyone coming back to this page looking for a solution, I ran into the same issue described earlier in this thread — broadcast storms and unstable WAN connectivity when both OPNsense firewalls were connected in HA mode with CARP enabled (only on LAN).

A tcpdump on the WAN interfaces showed leakage from the LAN and other VLANs — anything from Dropbox's discovery protocol (on the LAN side) to random broadcasts from IoT devices on separate VLANs LAN Side could unexpectedly trigger a broadcast storm on the WAN side.

After lots of frustration, trial and error, here's what worked  for me:



I created two dedicated, isolated VLANs on my UniFi US-24 switch(but this should work on any L2-managed switch) — one for each WAN connection.

WAN 1:
   •   VLAN 50: "WAN1-Isolated"
   •   Port 1: Modem 1 (access port on VLAN 50)
   •   Port 3: OPNsense A WAN interface (access port on VLAN 50)
   •   Port 5: OPNsense B WAN interface (access port on VLAN 50)

WAN 2:
   •   VLAN 60: "WAN2-Isolated"
   •   Port 2: Modem 2 (access port on VLAN 60)
   •   Port 4: OPNsense A WAN interface (access port on VLAN 60)
   •   Port 6: OPNsense B WAN interface (access port on VLAN 60)

These ports are not trunked, not included in any other VLAN, and have no uplink or routing beyond themselves.



On the switch, I enabled the following:
   •   Storm Control: Limited Unicast, Multicast, and Broadcast to 100 packets/sec
   •   Loop Protection: Enabled on ports 1-6 in my case




This setup effectively creates a "virtual dumb switch" using VLANs — but with better control and built-in protection.

Broadcasts and CARP advertisements are confined within each isolated VLAN, and controlled by the switch.

Again in my case, using a physical "dumb" switch between the modem and firewalls did not solve the issue — likely for the same reason it occurred in the first place  when both firewalls were connected directly to the  modems themselves (through the inbuilt "dumb"  switch).

Since switching to this VLAN-based approach, the system has been stable — no broadcast storms in the last 4 days. Fingers crossed it stays that way!
Print
Go Up Pages 1 2 3
User actions