Bug #15622
closed
IPv6 CARP uses wrong VHID Mac
0%
Description
pfsense uses the IANA VRRP defined virtual MAC addresses for CARP v4. This is great and valid, unless you are configuring a IPv6 CARP address with the same VHID.
PFSense seems to use the same mac format for IPv4 and IPv6 adresses, which does not follow the formats defined by RFC5798, defined in section 7.3. https://datatracker.ietf.org/doc/html/rfc5798#section-7.3
The virtual router MAC address associated with a virtual router is an IEEE 802 MAC Address in the following format:
IPv4 case: 00-00-5E-00-01-{VRID} (in hex, in Internet-standard bit-order)
IPv6 case: 00-00-5E-00-02-{VRID} (in hex, in Internet-standard bit-order)
This bug poses issues when configuring a cluser of firewalls the correct way, with the same VHID for IPv4 and IPv6.
Updated by Jim Pingle about 1 year ago
- Category changed from CARP to FreeBSD
- Status changed from New to Needs Patch
The linked spec is VRRPv3, not CARP. CARP is a VRRP "work-alike" -- it is purposefully not an implementation of VRRP or compatible with VRRP.
That said, the MAC address used there is how CARP is handled at the OS level, pfSense software does not configure it in that way. That would have to be implemented in FreeBSD first before being implemented here.