Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VRRP, is this excesive or normal?

    HA/CARP/VIPs
    4
    14
    6.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DWAyotte
      last edited by

      I was sniffing my DMZ and in a 12 second sniff I received 16,000 VRRP packets from one of my master pfsense boxes WAN interface.  This seems to be a little excessive, but I am not familiar with the protocol at all.  Is this something to worry about?  The firewall in question is in a master/backup configuration and averages 2k states and 3-4mbit throughput.  I hope this is enough info, thanks for the help.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        CARP is not VRRP though the broadcasts look similiar and some tools list CARP as protocol VRRP. Maybe it's just some wrong presentation due to misinterpreting CARP as VRRP?

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          Do you have cisco´s on the wan?

          1 Reply Last reply Reply Quote 0
          • D
            DWAyotte
            last edited by

            I was using Ethereal to sniff, I guess that makes more sense, but is that number of packets a normal amount?

            And yes, I do have a pair of PIX515e's on the WAN.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              VRRP and CARP on the same broadcast domain is not a good combination I think.

              1 Reply Last reply Reply Quote 0
              • D
                DWAyotte
                last edited by

                ahhh, that is not good then.  What can i do about that?

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  Maybe try moving your vhids of the carp machines to something much higher. In case VRRP and CARP use the same vhids they might try talking to each other but don't understand each other  ;)

                  1 Reply Last reply Reply Quote 0
                  • H
                    heiko
                    last edited by

                    Please place a block rule at the end of your ruleset and then see what is going up…

                    1 Reply Last reply Reply Quote 0
                    • H
                      heiko
                      last edited by

                      in the logfile… i think many cisco broadcasts

                      1 Reply Last reply Reply Quote 0
                      • D
                        DWAyotte
                        last edited by

                        wow this might be why, I have 3 pairs of pfsense firewalls, all have VIP's and I use vhid 1, 3, and 5 on all 3, so that is probably causing problems?  I guess that makes sense, just makes me feel dumb for overseeing that.

                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich
                          last edited by

                          VHIDS should only be shared for the same ip address across cluster members.

                          In addition, if you have upstream VRRP traffic you should ensure you are not using the same "vhid" id#.

                          1 Reply Last reply Reply Quote 0
                          • D
                            DWAyotte
                            last edited by

                            I changed all VHIDs on all boxes, all different and all higher numbers now.  Looks like I am running smooth, but what has me worried/confused is I have a constant 800k-1mbit of traffic all the time even when nothing is going through pfsense?  Shows up in RRD and Traffic graphs.  Any ideas?

                            1 Reply Last reply Reply Quote 0
                            • H
                              hoba
                              last edited by

                              Time to sniff to see what's going on  ::)

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                Do a tcpdump and run through wiresharks expert analyzer.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.