CARP traffic logged : Logs fulls



  • Hi Pfsense community !

    I have an issue with my logs, they are all instantly full.

    When i open the Filter.log, i see a lot of log related to VRRP (CARP) traffic.
    I setted up CARP, it works quite fine (MASTER/SLAVES etc)

    The Log is full of logs like this :
    filterlog: 52,16777216,,1000000201,em5,match,block,in,4,0x10,,255,8711,0,DF,112,carp,56,51.255.27.185,224.0.0.18,advertise,255,1,2,0,1

    Is this normal ? Is there any way not to log this ?
    How can i know which rule blocked this? (52,16777216,,1000000201)  ?

    Thank you all for your help !

    PS: I also use SNORT & PFBLOCKERNG
    PS2: The problem for this is that my Firewall Log tab (in the webgui) is hard to filter/see , as the logs are full and rotated really fast



  • If you have
    block bogons
    enabled, check
    status > system logs > settings
    and unchek

    In this way i was able not to log HSRP router traffic.

    You could also use the rule extra options and unset



  • hello fwcheck !

    I thank you for your suggestion, did not saw this option.
    I just used it, but i still get carp advertisement.

    In fact, i got log on interfaces with no block bogon

    I think somethig is still logging this traffic.

    Is there any way to find wich rule just triggered, according to the numbers in the log above?



  • You can display the rule names in the GUI if set when you set the option "Where to show rule descriptions" in the log settings.



  • Hey !

    Thanks !
    But the problem is that this traffic is logged in the .log on disk, but never displayed on the GUI .
    I know i can find informations by clicking on the red icon on the left in the firewall log page, but as they are not displayed i can't !

    As a result, i have a very limited Firewall view displayed (1 or 2 lines), everything is inside the log file as CARP  advertising traffic



  • Hello guys !

    Just made some progress here.

    i found a command on the web to list the rules applied :

    pfctl -s rules -vv

    And with this command i have been able to track the rule that was triggered  :

    @52(1000000201) block drop in log quick proto carp from (self:47) to any
      [ Evaluations: 82130    Packets: 39625    Bytes: 2219000    States: 0    ]
      [ Inserted: pid 15144 State Creations: 0    ]

    Fun fact, when i go to the firewall log tab, if i switch to "Raw Display" , all these rules are displayed.

    Please do someone know how to disable logging for this rule?

    PS: I ticked the "Suppress ARP messages" in system Advanced network , on and off, same behaviour
    PS2: And by the way i found this similar issue : https://forum.pfsense.org/index.php?topic=31379.0  This looks like it was a layer 2 loop. How can this be troubleshooted?


  • Netgate

    I would fix the source of the problem (your layer 2 gear sending its own advertisements back to you.) instead of suppressing the logs. They are telling you there is a problem.