VRRP, is this excesive or normal?

DWAyotte · Feb 26, 2008, 7:25 PM

I was sniffing my DMZ and in a 12 second sniff I received 16,000 VRRP packets from one of my master pfsense boxes WAN interface. This seems to be a little excessive, but I am not familiar with the protocol at all. Is this something to worry about? The firewall in question is in a master/backup configuration and averages 2k states and 3-4mbit throughput. I hope this is enough info, thanks for the help.

hoba · Feb 26, 2008, 7:51 PM

CARP is not VRRP though the broadcasts look similiar and some tools list CARP as protocol VRRP. Maybe it's just some wrong presentation due to misinterpreting CARP as VRRP?

heiko · Feb 26, 2008, 8:13 PM

Do you have cisco´s on the wan?

DWAyotte · Feb 26, 2008, 8:34 PM

I was using Ethereal to sniff, I guess that makes more sense, but is that number of packets a normal amount?

And yes, I do have a pair of PIX515e's on the WAN.

hoba · Feb 26, 2008, 8:38 PM

VRRP and CARP on the same broadcast domain is not a good combination I think.

DWAyotte · Feb 26, 2008, 8:46 PM

ahhh, that is not good then. What can i do about that?

hoba · Feb 26, 2008, 8:57 PM

Maybe try moving your vhids of the carp machines to something much higher. In case VRRP and CARP use the same vhids they might try talking to each other but don't understand each other ;)

heiko · Feb 26, 2008, 8:58 PM

Please place a block rule at the end of your ruleset and then see what is going up…

heiko · Feb 26, 2008, 9:00 PM

in the logfile… i think many cisco broadcasts

DWAyotte · Feb 26, 2008, 9:15 PM

wow this might be why, I have 3 pairs of pfsense firewalls, all have VIP's and I use vhid 1, 3, and 5 on all 3, so that is probably causing problems? I guess that makes sense, just makes me feel dumb for overseeing that.

sullrich · Feb 26, 2008, 11:16 PM

VHIDS should only be shared for the same ip address across cluster members.

In addition, if you have upstream VRRP traffic you should ensure you are not using the same "vhid" id#.

DWAyotte · Mar 24, 2008, 5:37 AM

I changed all VHIDs on all boxes, all different and all higher numbers now. Looks like I am running smooth, but what has me worried/confused is I have a constant 800k-1mbit of traffic all the time even when nothing is going through pfsense? Shows up in RRD and Traffic graphs. Any ideas?

hoba · Mar 24, 2008, 5:04 PM

Time to sniff to see what's going on ::)

sullrich · Mar 24, 2008, 5:46 PM

Do a tcpdump and run through wiresharks expert analyzer.