Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.5.2 in HA/CARP is processing promiscuous traffic

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 2 Posters 1.2k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mauro.tridici
      last edited by

      Dear All,

      I just realized that my pfsense 2.5.2 instance (deployed in HA/CARP mode) is processing the promiscuous traffiic (neighbours traffic).
      In other words, in the WebGUI at Status > System Logs, on the Firewall tab -> Dynamic View, I can see (also) all the traffic between the servers that are on the same network.

      Is it normal? How can I instruct pfsense to process only the traffic related to pfsense instances (master and slave)?

      Thank you,
      Mauro

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        When you add a CARP VIP to the interface it enables promiscuous mode but you should only see traffic that is sent to it. Traffic between other hosts in the WAN side subnet would not normally arrive at your WAN interface whatever mode the NIC is in.
        There's not much you can do about that in pfSense. It's up to the upstream not to send it.
        You can add block rules without logging if you just want to see it in the logs.

        Steve

        M 1 Reply Last reply Reply Quote 1
        • M Offline
          mauro.tridici @stephenw10
          last edited by

          @stephenw10 thank you very much for your answer. I really appreciated it.

          I will try to add block rules with "no logging" as you suggested.
          Could you please help me with an example rule?

          Sorry, I'm a newbie and I'm still at the beginnig.

          Regards,
          Mauro

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Well you might use a rule that looks like:

            Source: WAN subnet
            Destination: NOT WAN address

            That traffic has no business being on your WAN in most situations so you can add that as a block rule on WAN and simply don't enable logging.

            Can we see the traffic that you are actually seeing logged currently?

            Steve

            M 1 Reply Last reply Reply Quote 1
            • M Offline
              mauro.tridici @stephenw10
              last edited by

              @stephenw10 many thanks for your support.

              Sure, I think I can do it :) but...how can I show you the traffic currently logged?
              With a screenshot? Should I hide the IP addresses? Or I can send it via email?
              Sorry, but it is my first time

              Anyway I just noticed that the processed "external traffic" is essentially UDP
              I don't know if it can help to help me :)

              thanks again

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                I would copy and paste the firewall logs here. Fudge the IPs if you need to.

                What I expect to see there is UDP multicast/broadcast traffic. If that is the case it's legitimate to see it there.

                Steve

                M 1 Reply Last reply Reply Quote 1
                • M Offline
                  mauro.tridici @stephenw10
                  last edited by

                  @stephenw10 yes, you are right! the traffic is essentially UDP traffic.

                  I just copied the firewall logs and I removed the CARP IPs traffic.
                  The traffic you will see below is the traffic that I don't want to process :)

                  Anyway, I would add that, in PFSENSE GUI->Status Graph-> WAN (local), I can see:

                  • the traffic generated by CARP IP (is very low because behind the pfsense instance there are no hosts at this moment)
                  • tthee traffice generated by a different server on the same network (please see the attached image).

                  Screenshot 2021-07-29 at 19.43.41.png

                  Jul 29 19:24:54 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:50 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:47 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:45 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:41 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:40 WAN 10.0.32.42:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:40 WAN 10.0.32.34:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:40 WAN 10.0.32.233:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:38 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:35 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:30 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:27 WAN 10.0.32.233:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:27 WAN 10.0.32.34:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:27 WAN 10.0.32.34:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:27 WAN 10.0.32.199:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:27 WAN 10.0.32.254:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:27 WAN 10.0.32.233:5353 224.0.0.251:5353 UDP
                  Jul 29 19:24:27 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:24 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:20 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:17 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:14 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:10 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:24:07 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:20:47 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:20:44 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:20:39 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:20:36 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP
                  Jul 29 19:20:33 WAN 10.0.32.42:62784 239.255.255.250:1900 UDP

                  Thank you,
                  Mauro

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by stephenw10

                    And more importantly they are all using multicast destination addresses so they are correctly ending up at your WAN locally. That traffic is just dropped until you have the NIC in promiscuous mode. Those logs are expected on an HA pair but you can still drop and not the traffic with a rule.
                    It's all UPnP and mDNS.

                    https://en.wikipedia.org/wiki/Multicast_address

                    Steve

                    M 1 Reply Last reply Reply Quote 1
                    • M Offline
                      mauro.tridici @stephenw10
                      last edited by

                      @stephenw10

                      Yes, the NICs are in promiscuous mode ( I missed to say that pfsense instance is a virtual instance in HA on VMware ESXi v.7 ).

                      The promiscuous mode has been enabled following this:

                      https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability-virtual.html

                      Thank you, Steve, for the time you spent helping me. much appreciated!

                      Mauro

                      1 Reply Last reply Reply Quote 1
                      • M Offline
                        mauro.tridici
                        last edited by

                        @stephenw10

                        Good morning, Steve.
                        I'm sorry to disturb you again, but, if it is possible, I would like to ask you a question. Please, let me know if I have to open a new case/thread on this forum.

                        This is the question:
                        I successfully activated (on pfSense) HAproxy for web sites management.
                        So, users from the WAN are redirected to the right web server behind the firewall depending on the DNS name request.
                        Is there a way to do the same thing with FTP servers? I didn't find an "FTPproxy" in the pfSense packages list...

                        Could you please help me?

                        Thank you in advance.
                        Mauro

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          HAProxy can pass FTP using TCP mode but not with host-header matching like that. You can only do that with http, ftp doesn't send that information.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.