(Solved) Unable to stop multicast traffic from being logged
-
Since I started using my new Netgear router I've been logging blocked multicast IGMP traffic every 2 minutes 6 seconds and have been unable to get it to stop logging that traffic:
block Jan 14 03:46:14 WAN 192.168.0.1 224.0.0.1 IGMP block Jan 14 03:44:08 WAN 192.168.0.1 224.0.0.1 IGMP block Jan 14 03:42:02 WAN 192.168.0.1 224.0.0.1 IGMPI've tried creating WAN rules with logging disabled to "block IGMP from any to any", "block IGMP from any to 224.0.0.1", and "block IGMP from any to 224.0.0.0/4" without success. It won't let me specify 192.168.0.1 (my gateway) as the source as it states that is not a valid IP#. It just keeps logging the traffic no matter what rule is in place and in no time the log is filled with nothing but that traffic, which makes the logs practically useless as it moves all relevant documentation out in its place even with it set to remember 100 entries.
I'm using the same double NAT configuration I used with my old router and never saw this in my logs the whole time I was using it. I've rebooted the pfSense box after making new rules and powered the router down and back up to no avail. I'm running pfSense 2.0.2 i386.
Can someone advise me the best solution to this issue?
-
I saw in an older post that someone with the same problem solved it by creating a floating rule that didn't specify an interface so I tried a rule to block quick all IGMP in either direction with no interface chosen, along with a rule to block quick all incoming IGMP with no interface chosen, and a specific block quick rule with all the fields from the blocked log message. (I must have entered the IP mistakenly when it wouldn't let me enter the source as 192.168.0.1 last night. )
As shown, I also made WAN rules to block the specific traffic, a rule to block that subnet, and a rule to block all IGMP, none of which caused the traffic to no longer be logged. I tried using the Easy Rule function to auto create a log from the log entry and that didn't work either.
Since blocking the traffic wasn't working I also tried each of these rules with IGMP allowed instead of blocking it. That didn't cause the traffic to continue being logged as blocked either..
I've made sure to clear stated when it scrolls across the top and tried every combination the rules will allow and no matter if IGMP from 192.168.0.1 to 224.0.0.1 is blocked or passed with logging disabled it continues to be logged as being blocked. I've tried it using only one rule at a time and with all the rules shown enabled with no success.
-
That's hitting the block private networks rule I suspect, in such cases you have to either use a floating rule, or disable block private networks on that interface, block that without logging, then add your own block private rule with logging.
-
@cmb:
That's hitting the block private networks rule I suspect, in such cases you have to either use a floating rule, or disable block private networks on that interface, block that without logging, then add your own block private rule with logging.
Disabling the Block Private Networks option on the WAN interface did the trick. Thanks a lot, I appreciate it. :)
I cleaned up my rules and made a pfBlocker rule to block 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 255.255.255.255/32 on WAN and all is well.
-
Good afternoon ;D
I have to apologize, but I don't understand what is written above :-[
My log is also flooded with these messages, as screenshot 1 shows. On googling that I first found this:
http://knowledge.zomers.eu/pfsense/Pages/Prevent-IPv6-multicasts-from-flooding-the-pfSense-logs.aspx
Which however was for IPv6, so I guessed what I had to enter as address given that my messages are IPv4, and created the floating rule (screenshot 2).
Still, the messages keep on showing up.
Now I did find the 'block private networks' on WAN, which currently is enabled. I understand from cmb that I could disable that, but I don't quite understand this:
[quote]block that without logging, then add your own block private rule with logging.
Sorry, but my brain is too small :'(
Because:
1. "block that without logging": -> block what without logging?
2. "then add your own block private rule with logging": -> Where to add this? What should it block? Why the logging, I thought we did not want the logging?I apologize for being such a noob, and please do believe me: I suffer more from that than you ( ;D)
Thank you in advance for any answer :P,
Bye,
-
I can seem to add only one screenshot at a time :P
-
@Hollander:
Sorry, but my brain is too small :'(
Because:
1. "block that without logging": -> block what without logging?
2. "then add your own block private rule with logging": -> Where to add this? What should it block? Why the logging, I thought we did not want the logging?0/ Disable the private networks logging checkbox.
1/ Firewall - Aliases - IP:
Add an alias for 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/82/ Add your own rule without logging as first one for multicast.
3/ After that, add back private networks blocking with logging enabled, using the above alias. Multicast will not get logged any more, anything else will.
P.S. Nag someone to stop hardcoding the logging and making these rules unmovable here: https://redmine.pfsense.org/issues/371
-
@Hollander:
Sorry, but my brain is too small :'(
Because:
1. "block that without logging": -> block what without logging?
2. "then add your own block private rule with logging": -> Where to add this? What should it block? Why the logging, I thought we did not want the logging?0/ Disable the private networks logging checkbox.
1/ Firewall - Aliases - IP:
Add an alias for 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/82/ Add your own rule without logging as first one for multicast.
3/ After that, add back private networks blocking with logging enabled, using the above alias. Multicast will not get logged any more, anything else will.
P.S. Nag someone to stop hardcoding the logging and making these rules unmovable here: https://redmine.pfsense.org/issues/371
Thank you very much for your efforts to help me out ;D
I feel me becoming more stupid by the minute, because I still don't understand it :'(
0/ I understand: Interfaces/WAN/at the bottom, disable 'block private networks'.
1/ I hope I did right; I added a screenshot.
2/ But where (what interface) and what will it precisely contain concerning multicast? (could I most impolite perhaps ask for a screenshot?)
3/ This will be the same: Interfaces/WAN/at the bottom, enable 'block private networks'? No, I don't think, because there I can not enable logging, nor can I add an alias.Sorry (peep) :-[
But: nag someone at that url I think I can do :P
;D
Thank you very much for your reply,
Bye,
-
Well, leave it alone until you have figured it out. The above instructions are more than sufficient, provided some basic understanding of the firewall.
-
Well, leave it alone until you have figured it out. The above instructions are more than sufficient, provided some basic understanding of the firewall.
???
Well, thank you.
Perhaps somebody else would be willing to give an explanation that will actually help me get further.
The above instructions are more than sufficient
Classic communication theory has a lot to say about that.
Actually, I don't understand your response; why bother?
-
I am still struggling with this :P.
In the shower I was thinking this: suppose I add these multicast IPs to an alias, and then create a floating rule (without logging) to allow connections from LAN to that alias, would that be safe - and wise? It seems to work, but I don't know if by doing so I am breaching security ( ???)
Thank you in advance for any replies ;D
-
@Hollander:
It seems to work, but I don't know if by doing so I am breaching security ( ???)
No, you are breaching functionality in the first place… by blocking (potentially) legit traffic on your LAN interface(s).
-
The IGMP messages I was receiving were due to my Netgear router/modem.
It's been so long ago I don't remember exactly what the setting was, but it was an option in the Netgear management console you could check or uncheck. Once I turned it off the broadcast messages stopped. I was able to recheck the Block Private Networks box on the WAN interface and haven't had any trouble out of it since.
In fact, I never have any trouble out of my pfSense box.
-
Ok, it appears I didn't watch too good. This thread is about WAN, but my logs are filled with this kind of traffic on LAN. It originates from my desktops, that appear to be doing some SSDP-discoveries. This seems legitimate, so I thought: I will create a rule allowing this, and move it to the top of the LAN-rules.
So: UDP, source: LAN net, destination 224.0.0.0/4, pass.
This works for about an hour or so (no more messages in my logs), and then suddenly the rule has moved to the bottom of the list ???
Why doesn't the rule stay in place? Is this a bug, or a feature?
-
Now I am starting to get ex-tre-me-ly frustrated ( :'( :'( :'().
I also disabled 'block bogon' on LAN, and again, the rule stays in place for one hour, then drops to the bottom of the list and my logs are spammed with the useless lines again.
-
Literally hundreds and hundreds of lines of only this pic.
-
@Hollander:
I also disabled 'block bogon' on LAN, and again, the rule stays in place for one hour, then drops to the bottom of the list and my logs are spammed with the useless lines again.
Make all of those pfBlocker rules "alias only" in list action, you can order those as you wish.
-
@Hollander:
I also disabled 'block bogon' on LAN, and again, the rule stays in place for one hour, then drops to the bottom of the list and my logs are spammed with the useless lines again.
Make all of those pfBlocker rules "alias only" in list action, you can order those as you wish.
Thank you very, very, much, dok; I have had that running for 12 hours now, and it appears all these stupid log messages are now, finally, gone. Again: thank you :P
-
You are welcome ;)