Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Public IPs in CARP packets

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 3 Posters 752 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • artooroA
      artooro
      last edited by

      I noticed today when doing a packet capture on pfSense and looking at one of the CARP packets, that it listed several public IP addresses in the packet data. Some IPs are owned by Brazil and Africa while we are in North America. The IPs change too, often listing India and China owned addresses.
      Also the CARP is running on the LAN interface on private IPv4 space (172.16.4.252/24 in this example)

      Here's a screenshot using Wireshark to view the packet capture:
      vrrp-public-ips.png

      Has anyone else seen this, or have any ideas on what's going on? The same thing happens even if I re-install pfSense on the Netgate appliance and just do a basic config.

      awebsterA 1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by jimp

        That's Wireshark misreading the packets. It's CARP, not VRRP. The two are close, but not identical.

        Right click the packet in the list, then Decode As... and then change it to CARP.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • awebsterA
          awebster @artooro
          last edited by

          @artooro This is happening because VRRP and CARP, which are both redundancy mechanisms share the same protocol number (112) and addressing mechanism MAC 00:00:5e:00:00:xx.
          By default most packet capture tools, like Wireshark, will decode protocol 112 as VRRP.
          In Wireshark, right-click the packet and select Decode As...
          Edit the configuration to decode as CARP, things will look much better afterward.
          This is also why if you mix CARP and VRRP in the same network you have to be sure to select different virtual router IDs otherwise they will conflict with each other.

          Before:
          ee1660bc-1594-4a4a-af30-5136cf275975-image.png

          After:
          da06b528-3df3-4b56-8e9e-86f256ec153e-image.png

          –A.

          1 Reply Last reply Reply Quote 1
          • artooroA
            artooro
            last edited by

            Thanks guys, makes sense. Using the decode as method works.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.