Firewall Log issue
-
We are having problems with our firewall log being clogged full of VRRPv2 records like the one below being blocked.
Oct 13 11:26:47 LAN199 10.1.0.1 224.0.0.18: VRRPv2, Advertisement, vrid 4, prio 0, authtype none, intvl 1s, length 36, addrs(7) VRRP
The firewall is sending these requests on all of it's IP's and VLAN IP's and they are getting blocked like they are supposed to, but it's flooding the logs every second with these logs. I've tried creating a block rule that doesn't log these records but that didn't work and I don't want to turn off log packets blocked by default rule, which I believe is what is generating these records.
Does any one know how to stop the firewall from generating these requests I have RIP turned off and am not sure what setting is generating this traffic from the firewall.
-
VRRP is the same as CARP. Somewhere on your network you have VRRP capable equipment that is broadcasting those, or you are using CARP Virtual IPs.
You should be able to put a block rule for VRRP at the top of your rules on each interface to stop it from logging, I've done that before on non-CARP routers that are on a network with other CARP devices.
-
Yes I'm running carp on one interface and it has a cross over cable to my failover PFsense box which is down and shutoff. All of these log entries are going out from the interfaces on the PFsense box and not coming in. I do have Virtual IP's running on the interfaces for the failover stuff.
-
It wouldn't log if they were going out. Though it would log if it was getting them back in on a different interface or something else was rebroadcasting the traffic and making it look like it was coming in. Check for layer 2 loops or having WAN/LAN on the same physical network/collision domain.
-
Block private networks is likely what's blocking and logging that. Turn that off, create an alias for RFC1918 subnets, create a rule to block and log that, then create a rule above it to block and not log the VRRP.
-
I have block private networks turned off on all interfaces since I'm using a private 10.0.0.0 network along side a public class C network on the inside and also from our University connection we get 10.100.0.0 network connections from their wireless coming in from the outside.
Since my backup box is down I went to carp settings and shutoff Synchronization and also added a floating rule to reject carp protocol and not log on all interfaces coming in or out. My logs are showing tremendously less vrrp traffic but I am still getting a few every few seconds now. I have 2 interfaces on the inside. One is assigned a 10.0.0.0 network address and the other is assigned a public class C network address. The vrrp Logs coming in are from each other. On my 10 interface it's source is from my public IP on the same box and vice versa.
