CARP traffic logged : Logs fulls
-
Hi Pfsense community !
I have an issue with my logs, they are all instantly full.
When i open the Filter.log, i see a lot of log related to VRRP (CARP) traffic.
I setted up CARP, it works quite fine (MASTER/SLAVES etc)The Log is full of logs like this :
filterlog: 52,16777216,,1000000201,em5,match,block,in,4,0x10,,255,8711,0,DF,112,carp,56,51.255.27.185,224.0.0.18,advertise,255,1,2,0,1Is this normal ? Is there any way not to log this ?
How can i know which rule blocked this? (52,16777216,,1000000201) ?Thank you all for your help !
PS: I also use SNORT & PFBLOCKERNG
PS2: The problem for this is that my Firewall Log tab (in the webgui) is hard to filter/see , as the logs are full and rotated really fast -
If you have
block bogons
enabled, check
status > system logs > settings
and unchek
Log packets blocked by 'Block Bogon Networks' rulesIn this way i was able not to log HSRP router traffic.
You could also use the rule extra options and unset
Log packets that are handled by this rule -
hello fwcheck !
I thank you for your suggestion, did not saw this option.
I just used it, but i still get carp advertisement.In fact, i got log on interfaces with no block bogon
I think somethig is still logging this traffic.
Is there any way to find wich rule just triggered, according to the numbers in the log above?
-
You can display the rule names in the GUI if set when you set the option "Where to show rule descriptions" in the log settings.
-
Hey !
Thanks !
But the problem is that this traffic is logged in the .log on disk, but never displayed on the GUI .
I know i can find informations by clicking on the red icon on the left in the firewall log page, but as they are not displayed i can't !As a result, i have a very limited Firewall view displayed (1 or 2 lines), everything is inside the log file as CARP advertising traffic
-
Hello guys !
Just made some progress here.
i found a command on the web to list the rules applied :
pfctl -s rules -vv
And with this command i have been able to track the rule that was triggered :
@52(1000000201) block drop in log quick proto carp from (self:47) to any
[ Evaluations: 82130 Packets: 39625 Bytes: 2219000 States: 0 ]
[ Inserted: pid 15144 State Creations: 0 ]Fun fact, when i go to the firewall log tab, if i switch to "Raw Display" , all these rules are displayed.
Please do someone know how to disable logging for this rule?
PS: I ticked the "Suppress ARP messages" in system Advanced network , on and off, same behaviour
PS2: And by the way i found this similar issue : https://forum.pfsense.org/index.php?topic=31379.0 This looks like it was a layer 2 loop. How can this be troubleshooted? -
I would fix the source of the problem (your layer 2 gear sending its own advertisements back to you.) instead of suppressing the logs. They are telling you there is a problem.
