Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    CARP traffic logged : Logs fulls

    HA/CARP/VIPs
    4
    7
    1544
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aniodon last edited by

      Hi Pfsense community !

      I have an issue with my logs, they are all instantly full.

      When i open the Filter.log, i see a lot of log related to VRRP (CARP) traffic.
      I setted up CARP, it works quite fine (MASTER/SLAVES etc)

      The Log is full of logs like this :
      filterlog: 52,16777216,,1000000201,em5,match,block,in,4,0x10,,255,8711,0,DF,112,carp,56,51.255.27.185,224.0.0.18,advertise,255,1,2,0,1

      Is this normal ? Is there any way not to log this ?
      How can i know which rule blocked this? (52,16777216,,1000000201)  ?

      Thank you all for your help !

      PS: I also use SNORT & PFBLOCKERNG
      PS2: The problem for this is that my Firewall Log tab (in the webgui) is hard to filter/see , as the logs are full and rotated really fast

      1 Reply Last reply Reply Quote 0
      • F
        fwcheck last edited by

        If you have
        block bogons
        enabled, check
        status > system logs > settings
        and unchek

        Log packets blocked by 'Block Bogon Networks' rules

        In this way i was able not to log HSRP router traffic.

        You could also use the rule extra options and unset

        Log packets that are handled by this rule

        1 Reply Last reply Reply Quote 0
        • A
          aniodon last edited by

          hello fwcheck !

          I thank you for your suggestion, did not saw this option.
          I just used it, but i still get carp advertisement.

          In fact, i got log on interfaces with no block bogon

          I think somethig is still logging this traffic.

          Is there any way to find wich rule just triggered, according to the numbers in the log above?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann last edited by

            You can display the rule names in the GUI if set when you set the option "Where to show rule descriptions" in the log settings.

            1 Reply Last reply Reply Quote 0
            • A
              aniodon last edited by

              Hey !

              Thanks !
              But the problem is that this traffic is logged in the .log on disk, but never displayed on the GUI .
              I know i can find informations by clicking on the red icon on the left in the firewall log page, but as they are not displayed i can't !

              As a result, i have a very limited Firewall view displayed (1 or 2 lines), everything is inside the log file as CARP  advertising traffic

              1 Reply Last reply Reply Quote 0
              • A
                aniodon last edited by

                Hello guys !

                Just made some progress here.

                i found a command on the web to list the rules applied :

                pfctl -s rules -vv

                And with this command i have been able to track the rule that was triggered  :

                @52(1000000201) block drop in log quick proto carp from (self:47) to any
                  [ Evaluations: 82130    Packets: 39625    Bytes: 2219000    States: 0    ]
                  [ Inserted: pid 15144 State Creations: 0    ]

                Fun fact, when i go to the firewall log tab, if i switch to "Raw Display" , all these rules are displayed.

                Please do someone know how to disable logging for this rule?

                PS: I ticked the "Suppress ARP messages" in system Advanced network , on and off, same behaviour
                PS2: And by the way i found this similar issue : https://forum.pfsense.org/index.php?topic=31379.0  This looks like it was a layer 2 loop. How can this be troubleshooted?

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by

                  I would fix the source of the problem (your layer 2 gear sending its own advertisements back to you.) instead of suppressing the logs. They are telling you there is a problem.

                  Chattanooga, Tennessee, USA
                  The pfSense Book is free of charge!
                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post