IGMP IPV4 endless log-messages / rules not working :(

louis2 · May 8, 2024, 11:38 AM

I have a media server and as a consequence there are multicast packages.

The Media server is running in one of the vlans.
a PIMD package takes care that the media server is accessible from some other vlan's

That used to work without firewall log-messages, up to the moment
I did install the actual 24.03-RELEASE !!

However at this moment I have an endless stream of blocking messages in the log
Good and strange thing is that despite that, the media streaming is still working!

Situation is like this:

Devices are sending IGMP packages with destinations like:
224.0.0.1 to all nodes on the subnet
224.0.0.2 to all routers on the subnet
224.0.0.22 IGMP version 3

Despite that those messages are local to the (v)lan's, I defined pass rules for those packages.
I tried:

pass IPV4 IGMP to those addresses
pass IPV4 IGMP to those addresses with advanced option set
pass IPV4 any type to those address
defined a floating rule for one of the vlan's at the top of the float rule list passing those addresses (both directions)

Nothing worked!

the pass rule did not pass but block!
or there was an internal / not user defined rule blocking!

Also very strange ..... the floating pass rule .....
is blocking all messages ... it seems ... (the rules stops messages related to other interfaces/vlan's disappear)

As mentioned, the audio streaming functionality works, despite the blocked packages !!
All very weird!

bmeeks · May 8, 2024, 3:24 PM

New behavior in pfSense Plus 24.03. Check the docs here: https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options.

And go read through this recent post: https://forum.netgate.com/topic/187958/igmp-strangeness?_=1715171098186.

louis2 · May 8, 2024, 3:24 PM

@bmeeks

I did read the pages the links refer to and made some comments.

The bottom line. I am still totally confused, and my impression is that it does not work correct

dennypage · May 8, 2024, 3:58 PM

Multicast will continue to work without IGMP, it will just be a little less efficient.

If you want IGMP, you need a rule that passes IGMP with IP options set. If you are want a rule per interface, it would look like this:

login-to-view
login-to-view

Alternatively, if you have multiple LAN segments, you could also use a floating rule which would look like this:

login-to-view

The important part is to check the box for Allow IP options.

Edit: Be sure the IGMP pass rules come before any other pass rules that might match the IGMP packets. I.E. if you have a "pass all" kind of rule, the IGMP rule needs to come before that.

Gertjan · May 8, 2024, 4:04 PM

@louis2

To add what @dennypage showed : the (a possible) final result:

login-to-view

Don't mind the first rule, it's their for a NUT reason.

Rule 2 and 3 are the only ones you'll ever need. They are pass all rules. I use two rules so I can see how much IPv4 and IPv6.

Note the presence of the black gear wheel on both rules : the "Allow IP options" is now checked.

dennypage · May 8, 2024, 4:12 PM

@Gertjan FWIW, I would not recommend adding Allow IP options to a pass all rule. I would restrict this to IGMP.

There are good reasons that firewalls drop packets with IP options by default.

louis2 · May 8, 2024, 4:33 PM

@dennypage @Gertjan @stephenw10

It does not work here also with IP-options set! Let me start with that.
However:

That a pass rule can behaves like a block rule, "more more than bizar" !!

IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!
Letting the rule change in a block rule is simply bizar !!!!!

But even it I put the IGMP pass rule with options set, put as very first rule in floating table, it does not work!

Gertjan · May 8, 2024, 4:35 PM

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

"more more than bizar" !!

I know, I know.
I'm like you : wanted to stop my logs being filled up with 'useless' info.
This trick did it.

louis2 · May 8, 2024, 4:40 PM

@Gertjan

Gertjan, in my personal vision, I am just as concerned about threats from inside my network as for threats coming from the internet.

So my rule sets are very strict also for traffic leaving the network!

for security reasons first
blocking the option that things are collected from the internet for bad, commercial or good reasons ....
for privacy reasons

So I would never ever define a rule like "every thing outgoing allowed.
Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

My opinion of course!

dennypage · May 8, 2024, 4:44 PM

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

It does not work here also with IP-options set! Let me start with that.

Please post screen shots of your rules.

dennypage · May 8, 2024, 4:47 PM

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!

To be clear, IP options are not matchable like protocols, addresses, ports, etc.

louis2 · May 8, 2024, 6:01 PM

@dennypage

I think I fixed it. The following way:

I did add as first rule for the vlan:
login-to-view
I did reset the states via Diagnostics / States / Rest States

Just defining the rule, was not enough !!!

dennypage · May 8, 2024, 6:05 PM

@louis2 Glad you got it working. Thank you for letting me know that you had to perform Reset States. That may help others.

Gertjan · May 9, 2024, 7:08 AM

@louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

So I would never ever define a rule like "every thing outgoing allowed.
Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

I fully agree with that.
I've kept the default Netgate LAN firewall rules because I have the luxury of totally trusting all my LAN devices, I don't need to block something from going outside.
Beyond the devices, I can also trust the users that uses these devices. I'm lucky, probably.

Closing all destination ports, leaving open only port 53,80,443,110,143,995,992, 993, 143 doesn't give me more security, as 99% of all threads are downloaded by users over 443 (a web browser using https) or by mail, for example IMAP SSL, port 993, a mail client.

My LAN is my trusted network, and they could access to my other, less trusted networks, like a captive portal, or my server network. These networks can not access my trusted LAN.
My non trusted networks have devices I need to admin, like access points etc. I can access these from my LAN.

dennypage · May 9, 2024, 2:48 PM

@Gertjan In this case, it's a bit more than just passing ports. Allowing IP Options on a pass all rule opens your firewall to these options as well. IMO, you want to be very specific in the circumstance that you allow IP options.

I would have a preference to silently dropping all packets with IP options, including IGMP, rather than allowing all IP packets with options.

Gertjan · May 9, 2024, 3:31 PM

@dennypage said in IGMP IPV4 endless log-messages / rules not working :(:

you want to be very specific in the circumstance that you allow IP options.

I wanted to clean my logs. I've chosen the fast way out - not necessarily the best one.