• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IGMP IPV4 endless log-messages / rules not working :(

Firewalling
4
16
692
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    louis2
    last edited by May 8, 2024, 11:38 AM

    I have a media server and as a consequence there are multicast packages.

    • The Media server is running in one of the vlans.
    • a PIMD package takes care that the media server is accessible from some other vlan's

    That used to work without firewall log-messages, up to the moment
    I did install the actual 24.03-RELEASE !!

    However at this moment I have an endless stream of blocking messages in the log 😧 😧
    Good and strange thing is that despite that, the media streaming is still working!

    Situation is like this:

    Devices are sending IGMP packages with destinations like:
    224.0.0.1 to all nodes on the subnet
    224.0.0.2 to all routers on the subnet
    224.0.0.22 IGMP version 3

    Despite that those messages are local to the (v)lan's, I defined pass rules for those packages.
    I tried:

    • pass IPV4 IGMP to those addresses
    • pass IPV4 IGMP to those addresses with advanced option set
    • pass IPV4 any type to those address
    • defined a floating rule for one of the vlan's at the top of the float rule list passing those addresses (both directions)

    Nothing worked!

    • the pass rule did not pass but block!
    • or there was an internal / not user defined rule blocking!

    Also very strange ..... the floating pass rule .....
    is blocking all messages ... it seems ... (the rules stops messages related to other interfaces/vlan's disappear)

    As mentioned, the audio streaming functionality works, despite the blocked packages !!
    All very weird!

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by May 8, 2024, 12:26 PM

      New behavior in pfSense Plus 24.03. Check the docs here: https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options.

      And go read through this recent post: https://forum.netgate.com/topic/187958/igmp-strangeness?_=1715171098186.

      L 1 Reply Last reply May 8, 2024, 3:24 PM Reply Quote 0
      • L
        louis2 @bmeeks
        last edited by May 8, 2024, 3:24 PM

        @bmeeks

        I did read the pages the links refer to and made some comments.

        The bottom line. I am still totally confused, and my impression is that it does not work correct

        G 1 Reply Last reply May 8, 2024, 3:56 PM Reply Quote 0
        • D
          dennypage
          last edited by dennypage May 8, 2024, 3:58 PM May 8, 2024, 3:47 PM

          Multicast will continue to work without IGMP, it will just be a little less efficient.

          If you want IGMP, you need a rule that passes IGMP with IP options set. If you are want a rule per interface, it would look like this:

          login-to-view
          login-to-view


          Alternatively, if you have multiple LAN segments, you could also use a floating rule which would look like this:

          login-to-view

          login-to-view


          The important part is to check the box for Allow IP options.

          Edit: Be sure the IGMP pass rules come before any other pass rules that might match the IGMP packets. I.E. if you have a "pass all" kind of rule, the IGMP rule needs to come before that.

          1 Reply Last reply Reply Quote 0
          • G
            Gertjan @louis2
            last edited by Gertjan May 8, 2024, 4:04 PM May 8, 2024, 3:56 PM

            @louis2

            To add what @dennypage showed : the (a possible) final result:

            login-to-view

            Don't mind the first rule, it's their for a NUT reason.

            Rule 2 and 3 are the only ones you'll ever need. They are pass all rules. I use two rules so I can see how much IPv4 and IPv6.

            Note the presence of the black gear wheel on both rules : the "Allow IP options" is now checked.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            D L 2 Replies Last reply May 8, 2024, 4:12 PM Reply Quote 0
            • D
              dennypage @Gertjan
              last edited by May 8, 2024, 4:12 PM

              @Gertjan FWIW, I would not recommend adding Allow IP options to a pass all rule. I would restrict this to IGMP.

              There are good reasons that firewalls drop packets with IP options by default.

              L 1 Reply Last reply May 8, 2024, 4:33 PM Reply Quote 0
              • L
                louis2 @dennypage
                last edited by May 8, 2024, 4:33 PM

                @dennypage @Gertjan @stephenw10

                It does not work here also with IP-options set! Let me start with that.
                However:

                That a pass rule can behaves like a block rule, "more more than bizar" !!

                IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!
                Letting the rule change in a block rule is simply bizar !!!!!

                But even it I put the IGMP pass rule with options set, put as very first rule in floating table, it does not work!

                G D 3 Replies Last reply May 8, 2024, 4:35 PM Reply Quote 0
                • G
                  Gertjan @louis2
                  last edited by May 8, 2024, 4:35 PM

                  @louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

                  "more more than bizar" !!

                  I know, I know.
                  I'm like you : wanted to stop my logs being filled up with 'useless' info.
                  This trick did it.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • L
                    louis2 @Gertjan
                    last edited by May 8, 2024, 4:40 PM

                    @Gertjan

                    Gertjan, in my personal vision, I am just as concerned about threats from inside my network as for threats coming from the internet.

                    So my rule sets are very strict also for traffic leaving the network!

                    • for security reasons first
                    • blocking the option that things are collected from the internet for bad, commercial or good reasons ....
                    • for privacy reasons

                    So I would never ever define a rule like "every thing outgoing allowed.
                    Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

                    My opinion of course!

                    G 1 Reply Last reply May 9, 2024, 7:08 AM Reply Quote 0
                    • D
                      dennypage @louis2
                      last edited by May 8, 2024, 4:44 PM

                      @louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

                      It does not work here also with IP-options set! Let me start with that.

                      Please post screen shots of your rules.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dennypage @louis2
                        last edited by May 8, 2024, 4:47 PM

                        @louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

                        IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!

                        To be clear, IP options are not matchable like protocols, addresses, ports, etc.

                        L 1 Reply Last reply May 8, 2024, 6:01 PM Reply Quote 0
                        • L
                          louis2 @dennypage
                          last edited by May 8, 2024, 6:01 PM

                          @dennypage

                          I think I fixed it. The following way:

                          1. I did add as first rule for the vlan:
                            login-to-view

                          2. I did reset the states via Diagnostics / States / Rest States

                          Just defining the rule, was not enough !!!

                          D 1 Reply Last reply May 8, 2024, 6:05 PM Reply Quote 0
                          • D
                            dennypage @louis2
                            last edited by May 8, 2024, 6:05 PM

                            @louis2 Glad you got it working. Thank you for letting me know that you had to perform Reset States. That may help others.

                            1 Reply Last reply Reply Quote 0
                            • G
                              Gertjan @louis2
                              last edited by May 9, 2024, 7:08 AM

                              @louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

                              So I would never ever define a rule like "every thing outgoing allowed.
                              Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

                              I fully agree with that.
                              I've kept the default Netgate LAN firewall rules because I have the luxury of totally trusting all my LAN devices, I don't need to block something from going outside.
                              Beyond the devices, I can also trust the users that uses these devices. I'm lucky, probably.

                              Closing all destination ports, leaving open only port 53,80,443,110,143,995,992, 993, 143 doesn't give me more security, as 99% of all threads are downloaded by users over 443 (a web browser using https) or by mail, for example IMAP SSL, port 993, a mail client.

                              My LAN is my trusted network, and they could access to my other, less trusted networks, like a captive portal, or my server network. These networks can not access my trusted LAN.
                              My non trusted networks have devices I need to admin, like access points etc. I can access these from my LAN.

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              D 1 Reply Last reply May 9, 2024, 2:48 PM Reply Quote 0
                              • D
                                dennypage @Gertjan
                                last edited by May 9, 2024, 2:48 PM

                                @Gertjan In this case, it's a bit more than just passing ports. Allowing IP Options on a pass all rule opens your firewall to these options as well. IMO, you want to be very specific in the circumstance that you allow IP options.

                                I would have a preference to silently dropping all packets with IP options, including IGMP, rather than allowing all IP packets with options.

                                G 1 Reply Last reply May 9, 2024, 3:31 PM Reply Quote 0
                                • G
                                  Gertjan @dennypage
                                  last edited by May 9, 2024, 3:31 PM

                                  @dennypage said in IGMP IPV4 endless log-messages / rules not working :(:

                                  you want to be very specific in the circumstance that you allow IP options.

                                  I wanted to clean my logs. I've chosen the fast way out - not necessarily the best one.

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  1 Reply Last reply Reply Quote 0
                                  8 out of 16
                                  • First post
                                    8/16
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.