24.03.r.20240416.0005 : all ok.

In the beginning, I had only 3 LAN firewall rules.
The latter two are the obvious pass all rules. No thrills, bells and whistles.
I had to create the first "IGMP" rule : a simple pass rule with this option set :

🔒 Log in to view

so now I have :

🔒 Log in to view
and no more IGMP log activity.

Take note : my non logging main pass rule 1712736749 rules had not the log option checked, it was still logging ...

See also : [Multiple users] 24.03.r.20240410.1729 IGMP block gets logged

stephenw10 · Apr 17, 2024, 12:19 PM

Ah, interesting. I would expect to need IP Options set there to pass IGMP traffic. But it shouldn't be blocked by an pass rule, it should hit the default block rule. Hmm

stephenw10 · Apr 17, 2024, 12:25 PM

Oh OK I see this has been discussed in a ticket already: https://redmine.pfsense.org/issues/15400

Gertjan · Apr 17, 2024, 12:38 PM

@stephenw10 said in 24.03.r.20240416.0005 : all ok.:

ticket already: https://redmine.pfsense.org/issues/15400

Yeah, just found it : Had to look in the regression list.
And the issue is already solved, as this should be seen as a feature.

A potential issue still stands : a non logging pass rules starts to log firewall 'drop' lines : that one will get questions ...
Also : filling up a log with potential "no so easy to explain" drop log lines can hide quickly other, more useful info.

stephenw10 · Apr 17, 2024, 12:40 PM

Yup I agree. It confuses me!

marcosm · Apr 17, 2024, 3:46 PM

I think that ultimately it's a non-issue. ~~The logging "quirk", from what I've seen, only applies when the rule specifies IGMP~~. It's safe to assume that a user seeing the logs must have been trying to do something with IGMP, and this new behavior makes it obvious they did something wrong (allow-opts). It's been suggested that something could be added to the GUI when IGMP is selected, but I'm not convinced we should be adding protocol-specific info. Maybe a good middle ground is to automatically expand advanced options and check the IP options checkbox.

Bob.Dig · Apr 17, 2024, 3:26 PM

@marcosm said in 24.03.r.20240416.0005 : all ok.:

The logging "quirk", from what I've seen, only applies when the rule specifies IGMP.

No.

Uglybrian · Apr 17, 2024, 3:24 PM

🔒 Log in to view

Where is this setting found?

marcosm · Apr 17, 2024, 3:45 PM

@Bob-Dig Hah yeah I proved myself wrong right after posting.

Gertjan · Apr 17, 2024, 4:04 PM

@Uglybrian said in 24.03.r.20240416.0005 : all ok.:

Where is this setting found?

🔒 Log in to view

and see the pure pf power being unfolded for you

mikey_s · Apr 18, 2024, 10:26 AM

It prob took 30 minutes + for the update to 24.03.r.20240416.0005 yesteday and after that it wouldn't pass traffic or allocate DHCP addresses etc.

I had to console onto the unit originally to see what the console was saying.

Rebooted and then the system started working again. This is on "white box" hardware.

stephenw10 · Apr 18, 2024, 1:04 PM

Hmm, what did you update from?

Then after the reboot it was running the new RC OK? Anything logged when it wasn't responding?

mikey_s · Apr 18, 2024, 1:10 PM

@stephenw10

Previous 24.03 RC release

When I connected via a console cable it looked like DNS failures.

All appears to be working post 2nd reboot.

Is there a log file you wish me to attach?

stephenw10 · Apr 18, 2024, 1:12 PM

The latest upgrade log in /conf might show something. But only if it has errors. Otherwise the system log should have recorded any failures at the first boot.

pfsjap · Apr 18, 2024, 3:10 PM

@mikey_s Check if you have the same error msg (unbound) in the system log as in the first post of this thread 24.03-BETA to 24.03-RC update hiccup. Unbound did not start => DNS not working.

I too had to reboot once more after the update reboot.