Public IPs in CARP packets



  • I noticed today when doing a packet capture on pfSense and looking at one of the CARP packets, that it listed several public IP addresses in the packet data. Some IPs are owned by Brazil and Africa while we are in North America. The IPs change too, often listing India and China owned addresses.
    Also the CARP is running on the LAN interface on private IPv4 space (172.16.4.252/24 in this example)

    Here's a screenshot using Wireshark to view the packet capture:
    vrrp-public-ips.png

    Has anyone else seen this, or have any ideas on what's going on? The same thing happens even if I re-install pfSense on the Netgate appliance and just do a basic config.


  • Rebel Alliance Developer Netgate

    That's Wireshark misreading the packets. It's CARP, not VRRP. The two are close, but not identical.

    Right click the packet in the list, then Decode As... and then change it to CARP.



  • @artooro This is happening because VRRP and CARP, which are both redundancy mechanisms share the same protocol number (112) and addressing mechanism MAC 00:00:5e:00:00:xx.
    By default most packet capture tools, like Wireshark, will decode protocol 112 as VRRP.
    In Wireshark, right-click the packet and select Decode As...
    Edit the configuration to decode as CARP, things will look much better afterward.
    This is also why if you mix CARP and VRRP in the same network you have to be sure to select different virtual router IDs otherwise they will conflict with each other.

    Before:
    ee1660bc-1594-4a4a-af30-5136cf275975-image.png

    After:
    da06b528-3df3-4b56-8e9e-86f256ec153e-image.png



  • Thanks guys, makes sense. Using the decode as method works.


Log in to reply