Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hidden block quick rule dropping CARP advertisements

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    1 Posts 1 Posters 360 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apomeroy
      last edited by apomeroy

      I have a pair of pfsense 2.6.0 firewalls with six (6) VLAN interfaces that have CARP VIP configured. When CARP is disabled on the primary firewall, the VIPs all successfully migrate to the backup except for the fifth VIP (re2.501) which remains as Backup mode on the secondary firewall. Checking the firewall logs, there are block drop messages from a hidden/built in rule that occurs prior to the CARP pass rule or any user rules.

      pfctl -s rules snippet:

      block drop in log quick proto carp from (self) to any ridentifier 1000000201
      pass quick proto carp all no state ridentifier 1000000202

      only block log messages (10.3.5.101 is re2.501 interface on primary):
      Jul 8 16:41:09 LAN-D (1000000201) 10.3.5.101 224.0.0.18 CARP 105/0/1
      Jul 8 16:41:09 LAN-D (1000000201) 10.3.5.101 224.0.0.18 CARP 105/0/1
      Jul 8 16:41:09 LAN-D (1000000201) 10.3.5.101 224.0.0.18 CARP 105/0/1

      pfctl -s rules | egrep carp

      block drop in log quick proto carp from (self) to any ridentifier 1000000201
      pass quick proto carp all no state ridentifier 1000000202
      pass in log quick on re0.101 inet proto carp from <fw_wanmgt_addrs> to <fw_wanmgt_addrs> keep state label "USER_RULE: wanmgt carp" ridentifier 1688764914
      pass in log quick on re0.201 inet proto carp from <fw_wandata_addrs> to <fw_wandata_addrs> keep state label "USER_RULE: wandata carp" ridentifier 1688765257
      pass in log quick on re1.301 inet proto carp from <fw_dmzdata_addrs> to <fw_dmzdata_addrs> keep state label "USER_RULE: dmzdata carp" ridentifier 1688765300
      pass in log quick on re1.401 inet proto carp from <fw_guestdata_addrs> to <fw_guestdata_addrs> keep state label "USER_RULE: guestdata carp" ridentifier 1688765329
      pass in log quick on re2.501 inet proto carp from <fw_landata_addrs> to <fw_landata_addrs> keep state label "USER_RULE: landata carp" ridentifier 1688765356
      pass in log quick on re2.601 inet proto carp from <fw_lanmgt_addrs> to <fw_lanmgt_addrs> keep state label "USER_RULE: lanmgt carp" ridentifier 1688765382

      Not sure why there is a problem with that one interface/VIP, the setup steps I've taken are:
      Primary fw:

      • interface assignments
      • VLAN assignments
      • CARP VIP assignments, one per interface
      • CARP, 443/tcp, icmp allow rules on all primary/secondary fw interfaces
      • pfsync allow rules on re2.601 primary/secondary fw interfaces
        Secondary fw:
      • interface assignments
      • VLAN assignments
        Primary fw:
      • HA sync all

      Primary and secondary firewalls have dedicated switches for WAN, DMZ and LAN physical interfaces.

      What other information would be helpful to post here to troubleshoot?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.