Question: How can i prevent ARP sending requests using the VRRP VRID MACs to WAN?

hostmaster21

My company received a call from ISP, they criticize a log entry in their routers log as follows:
...
Oct 24 13:02:03:I:MAC_MISMATCH_DETECTION: ARP pkt received with
different eth source MAC and ARP sender MAC. Eth src MAC: a036.9ff6.xxxx
ARP sender MAC: 0000.5e00.0106
Oct 24 13:02:02:I:MAC_MISMATCH_DETECTION: ARP pkt received with
different eth source MAC and ARP sender MAC. Eth src MAC: a036.9ff6.xxxx
ARP sender MAC: 0000.5e00.0105
Oct 24 13:01:24:I:MAC_MISMATCH_DETECTION: ARP pkt received with
different eth source MAC and ARP sender MAC. Eth src MAC: 0015.5d00.xxxx
ARP sender MAC: 0000.5e00.0109
Oct 24 13:01:04:I:MAC_MISMATCH_DETECTION: ARP pkt received with
different eth source MAC and ARP sender MAC. Eth src MAC: a036.9ff6.xxxx
ARP sender MAC: 0000.5e00.0107
....

The pfsense packetdump function created a dump on wan interface which gave me this:

Frame 71089: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Oct 24, 2018 17:02:01.408439000 CEST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1540393321.408439000 seconds
[Time delta from previous captured frame: 0.000005000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 88.125846000 seconds]
Frame Number: 71089
Frame Length: 42 bytes (336 bits)
Capture Length: 42 bytes (336 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:arp]
[Coloring Rule Name: ARP]
[Coloring Rule String: arp]
Ethernet II, Src: Dell_b8:xx:xx (00:1e:c9:b8:xx:xx), Dst: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
Destination: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
Address: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Dell_b8:xx:xx (00:1e:c9:b8:xx:xx)
Address: Dell_b8:11:34 (00:1e:c9:b8:xx:xx)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: ARP (0x0806)
Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: IETF-VRRP-VRID_01 (00:00:5e:00:01:01)
Sender IP address: 2xx.xxx.60.44
Target MAC address: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
Target IP address: 2xx.xxx.60.42

we have a baremetal install with two firewalls and HA with CARP
firewall1
System pfSense
BIOS Vendor: Dell Inc.
Version: 2.7.0
Release Date: Sat Oct 30 2010
Version 2.4.3-RELEASE (amd64)
FreeBSD 11.1-RELEASE-p7

firewall2
System pfSense
BIOS Vendor: Dell Inc.
Version: 2.7.0
Release Date: Sat Oct 30 2010
Version 2.4.3-RELEASE (amd64)
FreeBSD 11.1-RELEASE-p7

CARP is configured
2xx.xxx.60.44/29 (vhid: 1) WAN CARP WAN-CARP1
10.100.100.1/24 (vhid: 2) LANSERVER CARP LANServer-CARP2
10.220.59.11/24 (vhid: 3) MSA CARP MSA-Carp3
10.100.101.1/24 (vhid: 4) LANCLIENTS CARP LANClients-Carp4
10.100.102.1/24 (vhid: 5) LANPHONES CARP LANPhones-Carp5

and each interface uses exclusively a network port
WAN is assigned to bce0 00:1e:c9:b8:xx:xx

NogBadTheBad

This post is deleted!

Derelict

The ARP response itself is always from the interface address.

The ARP IS AT response contained in that packet is the CARP MAC.

This is how it works.

This is exactly what is shown in the frame you sent:

Ethernet Header

Ethernet II, Src: Dell_b8:xx:xx (00:1e:c9:b8:xx:xx), Dst: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
Destination: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
Address: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)

Contents of the ARP protocol itself

Type: ARP (0x0806)
Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: IETF-VRRP-VRID_01 (00:00:5e:00:01:01)
Sender IP address: 2xx.xxx.60.44
Target MAC address: BrocadeC_5c:1a:01 (60:9c:9f:5c:1a:01)
Target IP address: 2xx.xxx.60.42

How else are they to route traffic to your CARP VIP without adding that to their ARP table? What they are seeing is completely normal. There is no requirement for the source MAC and the ARP MAC to be the same.

If the ISP has a problem with that they need to get over it or you need to find another ISP.

The only HA traffic that ever goes out on the wire sourced from the CARP MAC address are the CARP heartbeats themselves.

hostmaster21

Thank You for your reply, I wasnt shure whether CARP should set VRRP MAC in ARP packagess outside FW/LAN context. Thank You for clarifying this, so we have to discuss the issue with our ISP.