Two NICs with CARP on the same switch/VLAN



  • Hi,
    I'm opening a new post, so I don't have to re-open the quite old http://forum.pfsense.org/index.php?topic=43102.0#lastPost .
    I'm using pfsense on a ESXi Cluster with 2 different IP class provided from the ISP on the same cable and on the same VLAN (unfortunately they can't change this).
    I'm using VIPs and CARP on both the interfaces and I got almost 100 logs per sencond like this one "224.0.0.18: VRRPv2, Advertisement, vrid 29, prio 0, authtype none, intvl 1s, length 36, addrs(7)" on both the WANs, but everything is working perfectly and all the tests done are OK.
    Clicking at the "X" button I can see:

    The rule that triggered this action is:
    @38 block drop in log quick proto carp (self:50) to any

    I there a way to disable the logging of this carp packets? I know that this isn't the right configuration and it shouldn't be don in this way, but I can't change how the ISP provide me this two different class IPs and I can't set two different IP addresses on the same interface.
    Thank you very much in advance for your help
      Francesco



  • more than likely it's traffic from your ISPs router

    i get similar firewall logs for the HSRP routers that provide me my external IPs



  • Hi Francesco and All,

    i'm exactly in the same situation, but with a physical server with two physical NICs

    • Two NICs with CARP on the same switch/VLAN (WAN side)

    My ISP provide me 2 public IP subnets in the same cable.
    This cable is pluggel in my cisco switch in a port configured in access mode with VLAN X

    Other two ports on the same cisco switch are configured in access mode on the same VLAN X.
    In these two ports are connected two PFS WAN NICs with this configuration:

    WAN (wan)      -> em1        -> v4: a.a.a.a/27
    WAN2 (opt9)    -> em3        -> v4: b.b.b.b/27

    My filter.log is flooded by these messages:

    rule 38/0(match): block in on em3: (tos 0x0, ttl 255, id 37753, offset 0, flags [DF], proto VRRP (112), length 56)
        a.a.a.a > 224.0.0.18: VRRPv2, Advertisement, vrid 108, prio 0, authtype none, intvl 1s, length 36, addrs(7): 77.110.34.171,61.17.65.165,90.166.164.7,254.92.249.181,89.34.91.45,24.56.193.51,49.113.148.220
    00:00:00.001830 rule 38/0(match): block in on em3: (tos 0x0, ttl 255, id 64989, offset 0, flags [DF], proto VRRP (112), length 56)

    and

    rule 38/0(match): block in on em1: (tos 0x0, ttl 255, id 15937, offset 0, flags [DF], proto VRRP (112), length 56)
        b.b.b.b > 224.0.0.18: VRRPv2, Advertisement, vrid 226, prio 0, authtype none, intvl 1s, length 36, addrs(7): 189.142.72.18,82.162.93.207,80.97.204.246,226.201.105.180,72.151.119.172,252.49.36.205,219.112.155.93
    00:00:00.178021 rule 38/0(match): block in on em1: (tos 0x0, ttl 255, id 46149, offset 0, flags [DF], proto VRRP (112), length 56)

    I already checked:

    • VIPs configuration ( all netmask OK, Base 1 and Skew 0 for all VIPs, VHID Group # dedicated for each VIP, same pwd)
    • netmask in WAN and WAN2 conf;

    Is there a way to solve this? Or a way to hide these messages if they are not a serious network issue?
    Note: I have another couple of PFS firewall in the same switch and in the same VLAN X and a third public IP subnet (c.c.c.c) , but i don't see VRRP/CARP message in filter.log. With a tcpdump on wan interface I can see VRRP messsage but this is right.

    pfs 2.1-RELEASE (i386)

    Thank you and best regards

    Simone