Excessive VRRP packets getting to my home router

Question

I am calling them excessive, because they fill up the firewall log file in 1 minute. This router was provided to me by my ISP, and I cannot control the firewall rules that allow or block communications, I can only open or close network ports.

I have GPON. The setup that my ISP provided me was a Router and a ONT. I noticed that the ONT and Router always had Ethernet activity between them (I firstly noticed this a couple of years ago), even when no devices where connected to the Router. I have also been noticing an increase in CPU usage from my router (The one provided by the ISP). The load average for the CPU would normally be 1.00. The firewall log kept filling up with block connections coming from 10.x.x.x IP's to the multicast VRRP IP 214.0.0.18.

I plugged a computer to the ONT Ethernet port and ran a wireshark capture. Behind the Wan port are 3 VLANS, one for Data (internet access), another for voice, and another for IPTV. I didn't do any configurations regarding vlans, I just connected my computer to the ethernet port in the ONT without configuring anything.

I could see lots of VRRP broadcasts. They come from 2 different routers (on the ISP infrastructure) that are doing VRRP broadcast, the broadcasts are done every 1 second. One of the routers in the Voice Wan, and the other one in the IPTV Wan.

208 559.061863  10.240.143.252  224.0.0.18  VRRP    90  Announcement (v2)
212 559.258679  10.93.255.252   224.0.0.18  VRRP    64  Announcement (v2)

VRRP 9000 entries in wireshark: https://i.imgur.com/pN1a5rd.jpg

I suppose these connections are harmless, but should they be received and blocked by my router? It seems to swamp the cpu, it's usually at 100%, and I suspect this is why. The firewall log lists something like this:

Blocked - Default policy | PT 112 10.240.143.252->224.0.0.18 on stb_wan Blocked - Default policy | PT 112 10.93.255.252->224.0.0.18 on voice_wan

Usually the firewall log is full after 1 minute, and next entries are discarded.

I am believing the high cpu load is due to the constant firewall blocking. Broadcasts repeat every second, there's 2 routers on different vlans broadcasting, 2 blocks per second all the time. Thinking like this, it doesn't seem like a lot, it's only 2 connections.

I would like to know more about VRRP, are VRRP broadcast supposed to make it to the my home router (CPE)? Is this normal to be seen in GPON. Shouldn't these packets be blocked by a upstream switch? Is something possibly miss configured in my ISP? Is VRRP how the router gets it's IP address for the VOIP calls? I could be wrong, but I think these packets are harmless, and a nonsense that adds to the cpu load.

Answer 1

I'd guess that's normal for VRRP in general, but not normal for an ISP. The ISP should have either manually blocked the packets on their site, or configured VRRP in "unicast" mode. (The latter is unfortunately not always supported.)

VRRP is a redundancy (hot standby) protocol – it relies on the currently active system periodically sending out an "I'm alive" announcement; if that system (e.g. the router) suddenly goes down, it takes ~twice the "announcement interval" seconds for the backup system to claim the IP address. So the quicker you want the failover to happen, the more frequently VRRP announcements must be sent.

(Although the announcements are, in theory, multicast so that they'd be only received by devices that have "joined" the 224.0.0.18 group, this doesn't quite work as intended because the specific 224.0.0.x range is special in the wrong way and its packets often just get forwarded to all ports.)

However, the announcements only need to be seen by the participating systems themselves, and I'm pretty sure (though not 100% sure) an ISP would normally have their switches configured to block the VRRP packets from reaching their 100s of customers – or the other way around. (What would happen if a customer deliberately set up VRRP on their own router, claiming the ISP gateway's IP address with the highest priority? Especially considering that your ISP does not use any form of authentication, according to the screenshot...)

I am believing the high cpu load is due to the constant firewall blocking. Broadcasts repeat every second, there's 2 routers on different vlans broadcasting, 2 blocks per second all the time. Thinking like this, it doesn't seem like a lot, it's only 2 connections.

Blocking a packet requires no additional work beyond receiving it (though receiving the packet is certainly not "free" for the router's CPU, but at two-per-second it's not much); I suspect it's mostly the logging that consumes additional CPU. The router's firewall should just quietly discard unwanted broadcasts or multicasts without logging them, and the firewall should rate-limit its logging to avoid accidental DoS.