6100 with 22.05 blocking IGMP
-
After upgrade to Netgate 6100 MAX I get a blocking log to my VLAN interfaces from one of my Ubiquiti switches. It's getting strange because the DMZ interface isn't enabled atm. Also if you check the rule why it's blocked I only see an IPv6 fe80 address of my LAN interface where the VLAN is on. Because this VLAN is disabled I can't block the logging of this rule.
Maybe I'm missing something but this looks strange to me. This also happens to the other VLAN interfaces that are enabled but not native LAN or Management interfaces.
-
It's possible the rule description is using a rule number that changed since that was logged.
What is that 192.168.X.X IP in the log?
It's blocking multicast traffic. Multicast requires advanced options to pass so it would be expected to see that blocked unless you've specifically added rule(s) to pass it on DMZ.
Steve
-
@stephenw10 The 192.168. is the source address of the switch it's coming from and doesn't match with the IPv6 source from rule action description. Aand yes I'm confused why a) the Unifi switch is doing this and b) why only one of them and not the second.
I don't have a rule on that VLAN's to pass multicast from outside it's networks.
As I'm writing this I see these logs showing up:
Of course 0.0.0.0 is getting blocked because of the block bogon rule I checked at all of these VLAN interfaces. I'm confused why this is happening with the 6100 now and not the old hardware.
After deleting the whole DMZ interface I still get the logs with it's old interface address:
-
Have a look:
Multicast ExplainedIf you want to use Multicast, you have to setup your Network right, use a Querier.
-
@nocling I don't want to use multicast over different interfaces. That's not my point. I'm confused about the logging of that.
-
Default Rule and default logging is all.
You can use a Rule to block this and disable logging. -
Except that isn't the default IPv4 block rule. And what is shown would not be blocked by the referenced IPv6 rule.
Check the current ruleset in /tmp/rules.debug. Make sure it shows that rule identifier against that rule. As I said the most likely thing is that the ruleset was updated since the logs was made.
Is it still showing that rule against current multicast blocks?Steve
-
@stephenw10 Did a workaround by deleting the DMZ interface and added a block rule (not logging) on all the other interfaces.
rules.debug is showing this for that action:
antispoof log for $4_LAN ridentifier 1000002520
4_LAN is the parent interface for the VLAN's.
-
Ah, the anti-spoof rule makes more sense there. It's blocking traffic from 4_LAN subnet coming in on a different interface. It looks like the switch is doing something with the multicast traffic it probably shouldn't be doing.
-
@stephenw10 But that must be new. Well I think I have to check Ubiquiti forums. Thanks!
-
This post is deleted! -
Might IGMP spoofing the cause for this? Did disable it and logs are gone.
-
Quite possibly, yes.
-
@stephenw10 Was thinking about if the reassigning of the interfaces via editing the config file was a problem. Is there a possibility that firewall rules don't match with the interface names? (igb0 / ix1)
-
No. The rules reference the internal names in the config (wan, lan, opt1, opt2 etc) so if you reassign opt2 from igb0 to ix1 the rules will follow it.
Steve