CARP traffic logged : Logs fulls

aniodon

Hi Pfsense community !

I have an issue with my logs, they are all instantly full.

When i open the Filter.log, i see a lot of log related to VRRP (CARP) traffic.
I setted up CARP, it works quite fine (MASTER/SLAVES etc)

The Log is full of logs like this :
filterlog: 52,16777216,,1000000201,em5,match,block,in,4,0x10,,255,8711,0,DF,112,carp,56,51.255.27.185,224.0.0.18,advertise,255,1,2,0,1

Is this normal ? Is there any way not to log this ?
How can i know which rule blocked this? (52,16777216,,1000000201)  ?

Thank you all for your help !

PS: I also use SNORT & PFBLOCKERNG
PS2: The problem for this is that my Firewall Log tab (in the webgui) is hard to filter/see , as the logs are full and rotated really fast

fwcheck

If you have
block bogons
enabled, check
status > system logs > settings
and unchek

Log packets blocked by 'Block Bogon Networks' rules

In this way i was able not to log HSRP router traffic.

You could also use the rule extra options and unset

Log packets that are handled by this rule

aniodon

hello fwcheck !

I thank you for your suggestion, did not saw this option.
I just used it, but i still get carp advertisement.

In fact, i got log on interfaces with no block bogon

I think somethig is still logging this traffic.

Is there any way to find wich rule just triggered, according to the numbers in the log above?

viragomann

You can display the rule names in the GUI if set when you set the option "Where to show rule descriptions" in the log settings.

aniodon

Hey !

Thanks !
But the problem is that this traffic is logged in the .log on disk, but never displayed on the GUI .
I know i can find informations by clicking on the red icon on the left in the firewall log page, but as they are not displayed i can't !

As a result, i have a very limited Firewall view displayed (1 or 2 lines), everything is inside the log file as CARP  advertising traffic

aniodon

Hello guys !

Just made some progress here.

i found a command on the web to list the rules applied :

pfctl -s rules -vv

And with this command i have been able to track the rule that was triggered  :

@52(1000000201) block drop in log quick proto carp from (self:47) to any
  [ Evaluations: 82130    Packets: 39625    Bytes: 2219000    States: 0    ]
  [ Inserted: pid 15144 State Creations: 0    ]

Fun fact, when i go to the firewall log tab, if i switch to "Raw Display" , all these rules are displayed.

Please do someone know how to disable logging for this rule?

PS: I ticked the "Suppress ARP messages" in system Advanced network , on and off, same behaviour
PS2: And by the way i found this similar issue : https://forum.pfsense.org/index.php?topic=31379.0  This looks like it was a layer 2 loop. How can this be troubleshooted?

Derelict

I would fix the source of the problem (your layer 2 gear sending its own advertisements back to you.) instead of suppressing the logs. They are telling you there is a problem.