Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP and rules

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Eugene
      last edited by

      Hi!
      after connecting one client with Cisco VRRP to pfSense CARP-cluster our logs are hammered with:

      May 12 09:46:00 	last message repeated 108 times
      May 12 09:43:59 	last message repeated 29 times
      May 12 09:43:28 	kernel: carp_input: received len 20 < sizeof(struct carp_header)
      

      and indeed the packets are received by pfSense:

      09:53:08.614168 IP 10.29.252.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 200, prio 240, authtype simple, intvl 1s, length 20
      
      

      These 20 byte length packets come from cisco. I thought of explicitly disabling them from reaching our system to get rid of these entries in system log but I found out that there is no rule allowing CARP traffic coming to interface.
      Could anybody confirm please: any packet coming to 224.0.0.18 does not go through pf rules?
      Thanks.

      http://ru.doc.pfsense.org

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I believe if you enable CARP a rule is added behind the scenes to allow this traffic.

        Though if memory serves you might be able to add your own non-logging rule to block it from that source IP.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E
          Eugene
          last edited by

          The problem (question) is I can't see this automatically added rule but CARP works.

          # pfctl -sr | grep vlan16
          block drop in on ! vlan16 inet from 10.29.252.0/24 to any
          block drop in on vlan16 inet6 from fe80::211:aff:fe53:4460 to any
          pass out quick on vlan16 all flags S/SA keep state label "let out anything from firewall host itself"
          pass out quick on vlan16 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself"
          pass out quick on vlan16 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself"
          ... user rules ...
          pass in quick on vlan16 inet proto tcp from any to 127.0.0.1 port = 8039 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
          pass in quick on vlan16 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
          
          

          http://ru.doc.pfsense.org

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.