4. CARP traffic logged : Logs fulls

CARP traffic logged : Logs fulls

  • A

    Hi Pfsense community !

    I have an issue with my logs, they are all instantly full.

    When i open the Filter.log, i see a lot of log related to VRRP (CARP) traffic.
    I setted up CARP, it works quite fine (MASTER/SLAVES etc)

    The Log is full of logs like this :
    filterlog: 52,16777216,,1000000201,em5,match,block,in,4,0x10,,255,8711,0,DF,112,carp,56,51.255.27.185,224.0.0.18,advertise,255,1,2,0,1

    Is this normal ? Is there any way not to log this ?
    How can i know which rule blocked this? (52,16777216,,1000000201)  ?

    Thank you all for your help !

    PS: I also use SNORT & PFBLOCKERNG
    PS2: The problem for this is that my Firewall Log tab (in the webgui) is hard to filter/see , as the logs are full and rotated really fast

    0
  • F

    If you have
    block bogons
    enabled, check
    status > system logs > settings
    and unchek

    In this way i was able not to log HSRP router traffic.

    You could also use the rule extra options and unset

    0
  • A

    hello fwcheck !

    I thank you for your suggestion, did not saw this option.
    I just used it, but i still get carp advertisement.

    In fact, i got log on interfaces with no block bogon

    I think somethig is still logging this traffic.

    Is there any way to find wich rule just triggered, according to the numbers in the log above?

    0
  • V

    You can display the rule names in the GUI if set when you set the option "Where to show rule descriptions" in the log settings.

    0
  • A

    Hey !

    Thanks !
    But the problem is that this traffic is logged in the .log on disk, but never displayed on the GUI .
    I know i can find informations by clicking on the red icon on the left in the firewall log page, but as they are not displayed i can't !

    As a result, i have a very limited Firewall view displayed (1 or 2 lines), everything is inside the log file as CARP  advertising traffic

    0
  • A

    Hello guys !

    Just made some progress here.

    i found a command on the web to list the rules applied :

    pfctl -s rules -vv

    And with this command i have been able to track the rule that was triggered  :

    @52(1000000201) block drop in log quick proto carp from (self:47) to any
      [ Evaluations: 82130    Packets: 39625    Bytes: 2219000    States: 0    ]
      [ Inserted: pid 15144 State Creations: 0    ]

    Fun fact, when i go to the firewall log tab, if i switch to "Raw Display" , all these rules are displayed.

    Please do someone know how to disable logging for this rule?

    PS: I ticked the "Suppress ARP messages" in system Advanced network , on and off, same behaviour
    PS2: And by the way i found this similar issue : https://forum.pfsense.org/index.php?topic=31379.0  This looks like it was a layer 2 loop. How can this be troubleshooted?

    0
  • Netgate

    I would fix the source of the problem (your layer 2 gear sending its own advertisements back to you.) instead of suppressing the logs. They are telling you there is a problem.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy