CARP multicast switching security issue
I'm using 2 pfsense in HA with CARP VIPs as default gateways in the subnets.
The problem is that ARP responses to VIP default gateway are also the multicast VRRP MAC address, so all outgoing traffic in the subnet is multicasted, so flooded to all switch ports. Even with IGMP snooping, the traffic is flooded everywhere, because there are no IGMP joins in this multicast traffic.
Any port (client) can see subnet outgoing traffic of other ports (clients).
Is it normal? Can we avoid it? I've always thought that VRRP MAC was only for master election, and master always responded to VIP ARP requests with BIA MAC. Otherwise VRRP is a big security issue and it makes no sense to use it. Or is it that maybe premium switches are more intelligent and don't flood HSRP and VRRP multicast MAC destinations?
Anybody? I don't have a premium switch to test if VRRP standard is a L2 security issue.
@yo-mismo CARP (a "variant" of VRRP) packets are sent using MAC 00:00:5e:00:01:vhid (unicast) to 01:00:5e:00:01:vhid (multicast). ARP of CARP VIP should be 00:00:5e:00:01:vhid.
Can you post a Wireshark capture that shows that every packets are sent to the multicast 01:00:5e:00:01:vhid ?
It shouldn't be multicasting traffic other than the CARP heartbeats. If it does, there may be issues with ARP proxies or something something that would interfere with it.