Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help please: Why are these rules isolating IoT not working?

    Firewalling
    routing firewall rules iot guest
    2
    34
    4.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rennit
      last edited by

      @johnpoz Just saw your last statement. I do not. Not running avahi either. Read a prior post of yours regarding that too.
      I want to keep blocking out the noise, but just not completly fill the logs with the memory of it. :)

      I have also seen floating rules suggested as well as non. I know all that is needed a rule and not have logging enabled. I do not want to disable the default rule without knowing the new rule for certain does the job, that is why need the expert advice. Do you have a pic of how to do it correctly?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @rennit
        last edited by johnpoz

        @rennit I am not really a fan of floating rules.. Because first thing you go to when trying to troubleshoot something is the interface - and sometimes forget about rules that might be in floating. So unless you have like 100s of interfaces that you want a rule on and don't want to create them specific I would always put rules (other than outbound rules - which are rare) on the interface.

        If your not using ipv6.. Just create a IPv6 any rule to block or even allow - and just not allow it.

        Then doesn't matter what it is, link-local, multicast, whatever it just won't be logged.

        edit: Ah you have ipv6 set to blocked - that is the rule that is logging that, not the default rule.. I believe you might be able to do that without logging.. Let me look - I do not log default unless troubleshooting/testing something. I have my own rules that I want to log, and only log those.. Keeps my logs clean of noise. I only log syn tcp, and only common udp ports.

        edit2: You have this unchecked I take it

        ipv6.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • R
          rennit
          last edited by rennit

          Very good point. Good to know, I really do not know anything about floating rules and therefore did not want to try and use one when there are alternatives. Now I know I can focus learning time elsewhere.

          Okay, that I can do. What interface(s): LAN, WAN, VPN, OPVN?

          Yes exactly, I have it blocked and that is causing the default logging. I did not see anything about how to turn logging off with it. People have been posting about this nuisance since at least 2014, I am surprised if not an option not to log by now.

          edit: Correct mine is unchecked and I used default incorrectly. Meant default logging with box unchecked.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • R
            rennit
            last edited by rennit

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @rennit
              last edited by johnpoz

              @rennit I would have to do some testing. As I mentioned I do not log default, and I don't have that unchecked because I do use some IPv6.

              Not sure where the rule for blocking ipv6 goes in the stack - might before interface rules. If that is the case you might have to use floating rules to not log it.. When get a chance will do some testing and let you know.

              Keep in mind - that unless you have rules to allow IPv6 - that being checked ipv6 still wouldn't work since default is deny.. So ipv6 could never work unless you actually have rules that allow it.. So if that block rule is causing log spam - you could check it and then just don't allow IPv6, this way for sure any rules you put in interface to not log IPv6 would work.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • R
                rennit
                last edited by rennit

                Appreciate that, but do not want you to go out of your way more than you already do. Is there a way to not log with that box unchecked?

                @johnpoz From note below regarding edit: Okay, when you say do not allow, do you mean not have any explicit Pass rules or create active block rules? Or how does one actively make sure that IPv6 is not allowed universally? Just not clear on where or what to do for that last suggestion, but it sounds like what I want to do.

                johnpozJ 2 Replies Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @rennit
                  last edited by

                  @rennit see my edit to post above..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @rennit
                    last edited by johnpoz

                    @rennit said in Help please: Why are these rules isolating IoT not working?:

                    Okay, when you say do not allow

                    The default rule is always deny.. They are just not shown in the gui list of rules. If you do not have a rule on an interface or floating tab that "allows" something - then it will be denied. No need for a specific deny rule - unless you want to log it, or not log it or reject vs just drop.. Or depending on what your wanting to allow calls for specific block in the rule order. Say for example you want to only allow icmp to some specific vlan or dest, or only from specific host to internet.. You would need a specific deny between that rule and the default any any rule at the bottom of the rule list.

                    If you do not have an allow rule on lan for example that allows for IPv6 - then even if client has IPv6 address.. He isn't getting off his own network through pfsense using it.. So its really not a requirement to uncheck that box to specifically create block rules for ipv6.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      rennit
                      last edited by rennit

                      Got it. Perfect sense. I am going to check that box then verify I have nothing that allows IPv6 on any interface.

                      Once that is complete, is there any place I could look or diagnostic to run to both learn, and verify that IPv6 traffic is being ignored or is it more of a 'trust the software'? There is a ton of that IPv6 noise...

                      Does this also work for WAN, should I place that rule? Then when needed make it just IPv6...

                      WAN Interface
                      Screen Shot 2021-09-28 at 07.48.52.png

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @rennit
                        last edited by johnpoz

                        @rennit the default deny is EVERY interface on pfsense - so yeah even wan..

                        Those rules are defaulted there, in case you create allow rules or port forward that create wan rules.. Because you would want to block them from your allow rules.

                        There is no point to that rule you added - unless you don't want to log stuff hitting your wan.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • R
                          rennit
                          last edited by

                          Okay. Thank you! So I am back to check the box and verify nothing set to pass/allow.

                          Appreciate you taking the time on the explanations.

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @rennit
                            last edited by

                            @rennit said in Help please: Why are these rules isolating IoT not working?:

                            Appreciate you taking the time on the explanations.

                            NP - I like to help people, and nothing better than when the light bulb clicks.. And such discussions are normally helpful for others as well.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • R
                              rennit
                              last edited by rennit

                              Absolutely. I am really getting all you are teaching me and extrapolating to figure other things out as well.

                              Agreed. I'm trying to take the approach of doing this to help future readers as well. I especially relate after searching a lot of forum posts and other research sources. Seems the thread is being viewed a bit for being so new, that's also why kept some of this discussion here. An issue in some of my research has been lack of continuity with bits and fragments of solutions scattered in may posts and blogs etc.

                              @johnpoz edit: On that note... With this being the box we are referring to:

                              Screen Shot 2021-09-28 at 08.01.27.png

                              Saying all blocked unless checked, meaning when checked traffic not blocked, BUT the traffic will not actually egress or ingress without a specific pass rule allowing it. Is that correct?

                              1 Reply Last reply Reply Quote 0
                              • R
                                rennit
                                last edited by

                                Very thankful for this discussion. Provided a much greater understanding of many things and overall.

                                For those reading: As to this specific issue, one that I saw many posts about, but this solution I have not seen:

                                Just found this under logs-->firewall-->settings. I tested it and worked for the noise. Just don't know if will be losing any other and important logging with it. Looking at default block rules I do not think so, but not sure.

                                Screen Shot 2021-09-28 at 08.20.10.png

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.