CARP/HA working on WAN without any rules on interface
-
Hello, I have a question out of curiosity about CARP.
I have configured HA on my two pfsense installations and everything works flawlessly, so no problems on this side. However, even without any rules on WAN (so all incoming connections are blocked) CARP seems to communicate on that interface with no problems, probably accepting advertisements on 224.0.0.18
Could anyone enlighten this for me? Is this rule for CARP hardcoded?
-
Yes, the CARP traffic is allowed automatically. It is far too easy for user rules to break CARP unintentionally, and since it is multicast and thus only found in the local L2 segment, it is not a significant risk to allow the traffic. The automatic CARP rules also exempt CARP traffic from NAT.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.