The pfSense Store

Author Topic: CARP/HA working on WAN without any rules on interface  (Read 86 times)

0 Members and 1 Guest are viewing this topic.

Offline TheGOP

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
CARP/HA working on WAN without any rules on interface
« on: November 09, 2017, 07:03:41 am »
Hello, I have a question out of curiosity about CARP.

I have configured HA on my two pfsense installations and everything works flawlessly, so no problems on this side. However, even without any rules on WAN (so all incoming connections are blocked) CARP seems to communicate on that interface with no problems, probably accepting advertisements on 224.0.0.18

Could anyone enlighten this for me? Is this rule for CARP hardcoded?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21312
  • Karma: +1423/-26
    • View Profile
Re: CARP/HA working on WAN without any rules on interface
« Reply #1 on: November 13, 2017, 01:31:18 pm »
Yes, the CARP traffic is allowed automatically. It is far too easy for user rules to break CARP unintentionally, and since it is multicast and thus only found in the local L2 segment, it is not a significant risk to allow the traffic. The automatic CARP rules also exempt CARP traffic from NAT.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!