Carp, which interface are sync packets sent over??



  • hi guys, most of us have carp setup and the two firewalls syncing over the sync interface. do any of these sync packets pass over the other interfaces, like wan and lan interfaces??



  • wan - impossible and unreasonable
    lan - can be used
    optX to optX with 1 cable - most secure

    I used the last one.
    But no success with my multiwan setup… total failure.



  • The SYNC traffic is only sent over the interface used to sync. There is CARP traffic on the other interfaces.



  • would it be possible to setup rules on the WAN interface to block CARP traffic? I dont want the carp traffic escaping my internal network onto the external network??

    Thanks



  • CARP, by nature, uses multicast traffic. Any interface on which you have CARP VIPs on will be sending CARP traffic. If you want to limit this for security reasons, your best bet would be to configure your switch to filter the traffic except on the ports where your CARP nodes are.



  • @dotdash:

    CARP, by nature, uses multicast traffic. Any interface on which you have CARP VIPs on will be sending CARP traffic. If you want to limit this for security reasons, your best bet would be to configure your switch to filter the traffic except on the ports where your CARP nodes are.

    When adding a new rule to pfsense , I see that you may specify CARP as the protocol. I have experimented with a block rule specifying CARP as the protocol, but it seems to have no effect. I would assume that pf isn't able to block the CARP advertisement packets, but if this is the case, what purpose does that option serve? Does anyone know?



  • pfSense doesnt filter outbound traffic.
    CARP traffic leaving pfSense cannot be blocked.
    And if you have a CARP IP on an interface you wouldnt want to block the CARP traffic, would you?

    You could use pfSense as a filtering bridge before your network and thus filter CARP-traffic.
    –> If you have CARP-traffic on your own public subnet you could avoid sending it to the rest of the internet (or at least your ISP).


Locked