Strange (maybe) multicast behavior



  • I've got two firewalls running 1.2.2 that are synched via carp.  There are multiple interfaces defined using the following convention:

    192.168.11.1 - dmz carp ip
    192.168.11.2 - dmz firewall1 nic (fxp3)
    192.168.11.3 - dmz firewall2 nic (fxp0)

    192.168.13.1 - apps carp ip
    192.168.13.2 - apps firewall1 nic (rl0)
    192.168.13.3 - apps firewall2 nic (fxp3)

    etc….

    If system logs->firewall settings aren't set to show raw logs everything looks normal.  However, when I enable the raw detail level (on either firewall) I see a ton of igmp traffic.  The weird (maybe) part is that all the traffic looks like this:

    (fw1 entry) pf: 126. 328204 rule 696/8(ip-option): pass out on rl0: (tos 0x0, ttl 1, id 12035, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 192.168.13.2 > 224.0.0.18: igmp v1 report 224.0.0.18

    (fw2 entry) pf: 131. 179004 rule 696/8(ip-option): pass out on fxp3: (tos 0x0, ttl 1, id 33511, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 192.168.13.3 > 224.0.0.18: igmp v1 report 224.0.0.18

    On both firewalls the only igmp traffic appears to be outbound on the apps nic.  I setup a rule trying to log any other igmp traffic in case the firewalls were just responding to broadcasts they received but nothing showed up.

    Any ideas why the traffic appears to originate from the firewall and only on the apps interface on both machines?



  • This is normal.  It's CARP keeping itself up to date on who is active.



  • Thanks for the info.

    Out of curiousity, why is the broadcast only occurring on the apps interface on both firewalls?  None of the machines in that subnet should be using multicast.


Locked