• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

CARP multicast switching security issue

Scheduled Pinned Locked Moved HA/CARP/VIPs
3 Posts 2 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    Yo Mismo
    last edited by Aug 3, 2021, 4:34 AM

    Hi,

    I'm using 2 pfsense in HA with CARP VIPs as default gateways in the subnets.

    The problem is that ARP responses to VIP default gateway are also the multicast VRRP MAC address, so all outgoing traffic in the subnet is multicasted, so flooded to all switch ports. Even with IGMP snooping, the traffic is flooded everywhere, because there are no IGMP joins in this multicast traffic.

    Any port (client) can see subnet outgoing traffic of other ports (clients).

    Is it normal? Can we avoid it? I've always thought that VRRP MAC was only for master election, and master always responded to VIP ARP requests with BIA MAC. Otherwise VRRP is a big security issue and it makes no sense to use it. Or is it that maybe premium switches are more intelligent and don't flood HSRP and VRRP multicast MAC destinations?

    S 1 Reply Last reply Aug 31, 2021, 6:29 PM Reply Quote 0
    • Y
      Yo Mismo
      last edited by Aug 27, 2021, 7:11 AM

      Anybody? I don't have a premium switch to test if VRRP standard is a L2 security issue.

      1 Reply Last reply Reply Quote 0
      • S
        SophiaMarchildon @Yo Mismo
        last edited by Aug 31, 2021, 6:29 PM

        @yo-mismo CARP (a "variant" of VRRP) packets are sent using MAC 00:00:5e:00:01:vhid (unicast) to 01:00:5e:00:01:vhid (multicast). ARP of CARP VIP should be 00:00:5e:00:01:vhid.

        Can you post a Wireshark capture that shows that every packets are sent to the multicast 01:00:5e:00:01:vhid ?

        It shouldn't be multicasting traffic other than the CARP heartbeats. If it does, there may be issues with ARP proxies or something something that would interfere with it.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received