Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP multicast switching security issue

    HA/CARP/VIPs
    2
    3
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      Yo Mismo
      last edited by

      Hi,

      I'm using 2 pfsense in HA with CARP VIPs as default gateways in the subnets.

      The problem is that ARP responses to VIP default gateway are also the multicast VRRP MAC address, so all outgoing traffic in the subnet is multicasted, so flooded to all switch ports. Even with IGMP snooping, the traffic is flooded everywhere, because there are no IGMP joins in this multicast traffic.

      Any port (client) can see subnet outgoing traffic of other ports (clients).

      Is it normal? Can we avoid it? I've always thought that VRRP MAC was only for master election, and master always responded to VIP ARP requests with BIA MAC. Otherwise VRRP is a big security issue and it makes no sense to use it. Or is it that maybe premium switches are more intelligent and don't flood HSRP and VRRP multicast MAC destinations?

      S 1 Reply Last reply Reply Quote 0
      • Y
        Yo Mismo
        last edited by

        Anybody? I don't have a premium switch to test if VRRP standard is a L2 security issue.

        1 Reply Last reply Reply Quote 0
        • S
          SophiaMarchildon @Yo Mismo
          last edited by

          @yo-mismo CARP (a "variant" of VRRP) packets are sent using MAC 00:00:5e:00:01:vhid (unicast) to 01:00:5e:00:01:vhid (multicast). ARP of CARP VIP should be 00:00:5e:00:01:vhid.

          Can you post a Wireshark capture that shows that every packets are sent to the multicast 01:00:5e:00:01:vhid ?

          It shouldn't be multicasting traffic other than the CARP heartbeats. If it does, there may be issues with ARP proxies or something something that would interfere with it.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.