IGMP ...need understanding...?
-
A few days ago I upgraded to new hardware, and from 2.7.2 CE to 2.8.0 CE, and transfered my old set-up via the backup XML file, with no changes. I then noticed I was getting IGMP blocks in my new firewall log, that I did not get before on 2.7.2. Reading some posts in this forum and I found that perhaps the IGMP "handling" changed from 2.7.2 to 2.8.0 and also found the "fix" is to enable "IP options" in the rule "Advanced" tab. All well and good now, however I still have what seems a puzzle to me.
My hardware has four physical ethernet ports -- WAN, LAN, IOT, OPT2, and all 4 have different ipV4 networks. The IOT net is where I have wireless access points and also a VLAN-capable Unifi switch. I had configured two VLANs "Guest (99)" and "WLAN (20)", and the parent interface is the IOT net.
The reason I am puzzled, besides having lost too many brain cells, is that I was only getting the IGMP blocks for rules in the IOT and WLAN interfaces, not the GUEST, even though both GUEST and WLAN are configured exactly the same, with the same parent (IOT) and the only difference being the VLAN ID. Both VLANs go "through" the Unifi switch, which is apparently the source of the IGMP query/transmission to IP 244.0.0.1. So first the firewall log would record a block from the IOT net with the switch as source, and immediately next a block at the WLAN interface with also the switch as the source, even though the switch has an IP (192,168.1.206) that is NOT on the WLAN VLAN address (192.168.20.x).
Long story short, a) I am puzzled why the GUEST network did not suffer through this, and then b) is it OK to block all IGMP traffic ? since I do not think I have anything I need it for ? Right now I am letting it "pass" on both the IOT and WLAN interfaces -- I had to put pass rules on both to avoid the "block" notices in the firewall log.
...sorry for the long post, and hope I have not mixed things up...
-
...after more reading... I've learned my IGMP issues are caused by me (no surprises there) and my Unifi switch. The networks I created within the Unifi Controller, to mimic the VLANs I set in pfSense, i.e. GUEST and WLAN were not set up identically there. WLAN had IGMP Snooping enabled, while GUEST did not -- so that solves why I did not get firewall notices about IGMP on GUEST.
Mine is a home network, and I do not have IPTV, gaming, nor any other multi-cast applications, so I have disabled IGMP snooping everywhere within the Unifi controller settings. Hopefully this does not cause me issues down the road sometime. One more thing learned.
-
@njaimo FWIW this was a common point of confusion when they added it to Plus a while back.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#packets-with-ip-options
As I understood it, the change was adding the log entry for the block. For our clients we added a rule at the bottom of the ruleset to block IGMP, set to not log, to avoid the noise.
Enabling IP Options is needed if the traffic should be passed.
-
@SteveITS Thank you for the info ! I think I have a better grasp now on what my issue was. Since I disabled IGMP Snooping in the Unifi controller for my IOT net and associated VLANs I have not had any more notices in the firewall log (I still have the pass rules with log on, but nothing is showing in the firewall log, so I assume there is no more IGMP traffic. Cheers