Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP traffic not seen in firewall logs/bypassing firewall rules

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 969 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jsnicaise
      last edited by

      I have three CARP VIPs setup with two nodes. I have a very minimal set of rules. The whole High availability setup seems to be working correctly, One master, one backup. The backup takes over when at least one link fails on the master. Configuration synchronizes correctly. Etc.

      The question I have is about the states being created for the CARP VIPs and the firewall rules.

      I've noticed that firewall states are being created for the three CARP VIPs. Since states exist, firewall rules are bypassed, CARP traffic is allowed and no log entries are being shown.

      Is this normal behaviour?

      Are there implicit firewall rules allowing CARP traffic?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        It depends on exactly what you mean by "CARP traffic".

        If you mean the actual multicast heartbeats sent by CARP to announce the VIPs to the segment, then yes they have rules set to allow the traffic automatically to skip NAT and other things that could break CARP.

        : grep -i carp /tmp/rules.debug
no nat proto carp
no rdr proto carp
block in log quick proto carp from (self) to any
pass quick proto carp

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J Offline
          jsnicaise
          last edited by

          yes, that's what I meant.

          Thanks,

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.