VRRP, is this excesive or normal?



  • I was sniffing my DMZ and in a 12 second sniff I received 16,000 VRRP packets from one of my master pfsense boxes WAN interface.  This seems to be a little excessive, but I am not familiar with the protocol at all.  Is this something to worry about?  The firewall in question is in a master/backup configuration and averages 2k states and 3-4mbit throughput.  I hope this is enough info, thanks for the help.



  • CARP is not VRRP though the broadcasts look similiar and some tools list CARP as protocol VRRP. Maybe it's just some wrong presentation due to misinterpreting CARP as VRRP?



  • Do you have cisco´s on the wan?



  • I was using Ethereal to sniff, I guess that makes more sense, but is that number of packets a normal amount?

    And yes, I do have a pair of PIX515e's on the WAN.



  • VRRP and CARP on the same broadcast domain is not a good combination I think.



  • ahhh, that is not good then.  What can i do about that?



  • Maybe try moving your vhids of the carp machines to something much higher. In case VRRP and CARP use the same vhids they might try talking to each other but don't understand each other  ;)



  • Please place a block rule at the end of your ruleset and then see what is going up…



  • in the logfile… i think many cisco broadcasts



  • wow this might be why, I have 3 pairs of pfsense firewalls, all have VIP's and I use vhid 1, 3, and 5 on all 3, so that is probably causing problems?  I guess that makes sense, just makes me feel dumb for overseeing that.



  • VHIDS should only be shared for the same ip address across cluster members.

    In addition, if you have upstream VRRP traffic you should ensure you are not using the same "vhid" id#.



  • I changed all VHIDs on all boxes, all different and all higher numbers now.  Looks like I am running smooth, but what has me worried/confused is I have a constant 800k-1mbit of traffic all the time even when nothing is going through pfsense?  Shows up in RRD and Traffic graphs.  Any ideas?



  • Time to sniff to see what's going on  ::)



  • Do a tcpdump and run through wiresharks expert analyzer.


Locked