CARP traffic not seen in firewall logs/bypassing firewall rules

  • I have three CARP VIPs setup with two nodes. I have a very minimal set of rules. The whole High availability setup seems to be working correctly, One master, one backup. The backup takes over when at least one link fails on the master. Configuration synchronizes correctly. Etc.

    The question I have is about the states being created for the CARP VIPs and the firewall rules.

    I've noticed that firewall states are being created for the three CARP VIPs. Since states exist, firewall rules are bypassed, CARP traffic is allowed and no log entries are being shown.

    Is this normal behaviour?

    Are there implicit firewall rules allowing CARP traffic?


  • Rebel Alliance Developer Netgate

    It depends on exactly what you mean by "CARP traffic".

    If you mean the actual multicast heartbeats sent by CARP to announce the VIPs to the segment, then yes they have rules set to allow the traffic automatically to skip NAT and other things that could break CARP.

    : grep -i carp /tmp/rules.debug
    no nat proto carp
    no rdr proto carp
    block in log quick proto carp from (self) to any
    pass quick proto carp

  • yes, that's what I meant.


Log in to reply