CARP and rules



  • Hi!
    after connecting one client with Cisco VRRP to pfSense CARP-cluster our logs are hammered with:

    May 12 09:46:00 	last message repeated 108 times
    May 12 09:43:59 	last message repeated 29 times
    May 12 09:43:28 	kernel: carp_input: received len 20 < sizeof(struct carp_header)
    

    and indeed the packets are received by pfSense:

    09:53:08.614168 IP 10.29.252.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 200, prio 240, authtype simple, intvl 1s, length 20
    
    

    These 20 byte length packets come from cisco. I thought of explicitly disabling them from reaching our system to get rid of these entries in system log but I found out that there is no rule allowing CARP traffic coming to interface.
    Could anybody confirm please: any packet coming to 224.0.0.18 does not go through pf rules?
    Thanks.


  • Rebel Alliance Developer Netgate

    I believe if you enable CARP a rule is added behind the scenes to allow this traffic.

    Though if memory serves you might be able to add your own non-logging rule to block it from that source IP.



  • The problem (question) is I can't see this automatically added rule but CARP works.

    # pfctl -sr | grep vlan16
    block drop in on ! vlan16 inet from 10.29.252.0/24 to any
    block drop in on vlan16 inet6 from fe80::211:aff:fe53:4460 to any
    pass out quick on vlan16 all flags S/SA keep state label "let out anything from firewall host itself"
    pass out quick on vlan16 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself"
    pass out quick on vlan16 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself"
    ... user rules ...
    pass in quick on vlan16 inet proto tcp from any to 127.0.0.1 port = 8039 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on vlan16 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
    
    

Locked