Question: How can i prevent ARP sending requests using the VRRP VRID MACs to WAN?



  • Question: How can i prevent ARP sending requests using the VRRP VRID MACs to WAN?

    My company received a call from ISP, they criticize a log entry in their routers log as follows:
    ...
    Oct 24 13:02:03:I:MAC_MISMATCH_DETECTION: ARP pkt received with
    different eth source MAC and ARP sender MAC. Eth src MAC: a036.9ff6.xxxx
    ARP sender MAC: 0000.5e00.0106
    Oct 24 13:02:02:I:MAC_MISMATCH_DETECTION: ARP pkt received with
    different eth source MAC and ARP sender MAC. Eth src MAC: a036.9ff6.xxxx
    ARP sender MAC: 0000.5e00.0105
    Oct 24 13:01:24:I:MAC_MISMATCH_DETECTION: ARP pkt received with
    different eth source MAC and ARP sender MAC. Eth src MAC: 0015.5d00.xxxx
    ARP sender MAC: 0000.5e00.0109
    Oct 24 13:01:04:I:MAC_MISMATCH_DETECTION: ARP pkt received with
    different eth source MAC and ARP sender MAC. Eth src MAC: a036.9ff6.xxxx
    ARP sender MAC: 0000.5e00.0107
    ....

    The pfsense packetdump function created a dump on wan interface which gave me this:

    Frame 71089: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Oct 24, 2018 17:02:01.408439000 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1540393321.408439000 seconds
    [Time delta from previous captured frame: 0.000005000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 88.125846000 seconds]
    Frame Number: 71089
    Frame Length: 42 bytes (336 bits)
    Capture Length: 42 bytes (336 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:arp]
    [Coloring Rule Name: ARP]
    [Coloring Rule String: arp]
    Ethernet II, Src: Dell_b8:xx:xx (00:1e:c9:b8:xx:xx), Dst: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
    Destination: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
    Address: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Dell_b8:xx:xx (00:1e:c9:b8:xx:xx)
    Address: Dell_b8:11:34 (00:1e:c9:b8:xx:xx)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Address Resolution Protocol (reply)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    Sender MAC address: IETF-VRRP-VRID_01 (00:00:5e:00:01:01)
    Sender IP address: 2xx.xxx.60.44
    Target MAC address: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
    Target IP address: 2xx.xxx.60.42

    we have a baremetal install with two firewalls and HA with CARP
    firewall1
    System pfSense
    BIOS Vendor: Dell Inc.
    Version: 2.7.0
    Release Date: Sat Oct 30 2010
    Version 2.4.3-RELEASE (amd64)
    FreeBSD 11.1-RELEASE-p7

    firewall2
    System pfSense
    BIOS Vendor: Dell Inc.
    Version: 2.7.0
    Release Date: Sat Oct 30 2010
    Version 2.4.3-RELEASE (amd64)
    FreeBSD 11.1-RELEASE-p7

    CARP is configured
    2xx.xxx.60.44/29 (vhid: 1) WAN CARP WAN-CARP1
    10.100.100.1/24 (vhid: 2) LANSERVER CARP LANServer-CARP2
    10.220.59.11/24 (vhid: 3) MSA CARP MSA-Carp3
    10.100.101.1/24 (vhid: 4) LANCLIENTS CARP LANClients-Carp4
    10.100.102.1/24 (vhid: 5) LANPHONES CARP LANPhones-Carp5

    and each interface uses exclusively a network port
    WAN is assigned to bce0 00:1e:c9:b8:xx:xx


  • Galactic Empire

    This post is deleted!

  • Netgate

    The ARP response itself is always from the interface address.

    The ARP IS AT response contained in that packet is the CARP MAC.

    This is how it works.

    This is exactly what is shown in the frame you sent:

    Ethernet Header

    Ethernet II, Src: Dell_b8:xx:xx (00:1e:c9:b8:xx:xx), Dst: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
    Destination: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
    Address: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
    

    Contents of the ARP protocol itself

    Type: ARP (0x0806)
    Address Resolution Protocol (reply)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    Sender MAC address: IETF-VRRP-VRID_01 (00:00:5e:00:01:01)
    Sender IP address: 2xx.xxx.60.44
    Target MAC address: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
    Target IP address: 2xx.xxx.60.42
    

    How else are they to route traffic to your CARP VIP without adding that to their ARP table? What they are seeing is completely normal. There is no requirement for the source MAC and the ARP MAC to be the same.

    If the ISP has a problem with that they need to get over it or you need to find another ISP.

    The only HA traffic that ever goes out on the wire sourced from the CARP MAC address are the CARP heartbeats themselves.



  • Thank You for your reply, I wasnt shure whether CARP should set VRRP MAC in ARP packagess outside FW/LAN context. Thank You for clarifying this, so we have to discuss the issue with our ISP.