Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mysterious traffic to 224.0.0.2 which is blocked, but it shouldn't be

    Firewalling
    3
    8
    266
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Pizzamaka
      last edited by

      Hi from a pfsense/firewalling newbie.

      So I have been troubleshooting issues with Android apps not working. The only thing I see being blocked is this traffic

      android device -> 224.0.0.2 IGMP

      As soon as I create a rule to allow that, my apps work again. (interestingly it only works when explicitly setting the device IP as source - allow any LAN source does not work...)

      My questions now are

      • google told me that this is a non-routable address reserved for router advertisments. Why is my android phone looking for routers?
      • According to the logs the rule that blocks it is my "allow LAN to everything" rule. This is a rule that allows all protocols from the LAN subnets to anywhere. Why is this blocking anything?

      Any help is highly appreciated.

      johnpozJ S 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Pizzamaka
        last edited by

        @Pizzamaka there has been many a thread about this already.. Here is what is going on.

        https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#packets-with-ip-options

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        P 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @Pizzamaka
          last edited by

          @Pizzamaka we make a rule to not-log IGMP, to avoid the log noise.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          1 Reply Last reply Reply Quote 0
          • P
            Pizzamaka @johnpoz
            last edited by

            @johnpoz thank you. I did search, but could not find anything in regard. I also read the document you posted but could not see that it refers to my issue. Can you explain how I could have seen that the packets are blocked due to IP Options or share a thread where it is explained?

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Pizzamaka
              last edited by

              @Pizzamaka if ip options are set, like with igmp - then your rule that allows them be that any any or specific needs to be set to allow ip options. Thought that was pretty clearly explained in the link I provided.

              Here is one

              https://forum.netgate.com/topic/187896/how-to-stop-logging-blocked-lan-igmp

              Pretty sure it was always blocked, just not logged until they fixed a bug.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.03 | Lab VMs 2.7.2, 24.03

              P 1 Reply Last reply Reply Quote 0
              • P
                Pizzamaka @johnpoz
                last edited by

                @johnpoz I get the explanation in the docs- thank you for that. What I meant is, that I found the document you shared before posting here, but was not aware that is related to my issue.

                Or better: How can I see in the logs that the traffic is blocked due to the IP option as you explained. When looking at the logs it only says "blocked", source/target IPs protocal and the rule. It does not say "blocked because traffic has IP option set" - sorry if the question sounds stupid and is due to my lack of knowledge.

                S johnpozJ 2 Replies Last reply Reply Quote 0
                • S
                  SteveITS Rebel Alliance @Pizzamaka
                  last edited by

                  @Pizzamaka Because it is an "allow" rule that is logging the block. Not a "block" rule. And it is for IGMP, not TCP or UDP or other.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Pizzamaka
                    last edited by

                    @Pizzamaka yeah it might be a bit confusing, especially on an any any rule where you don't call out say tcp or tcp/udp and its just IPv4 any any rule..

                    I think that was their goal with listing the rule that triggers but mentions the igmp protocol even when its an allow rule, for example your lan any any rule.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post