Logging Issues
-
Version : 2.3.2-RELEASE (amd64) built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5
Logging issues:
1) I have an interface dedicated to monitoring equipment on the LAN interface protected by pfSense.
There are exactly two firewall rules:
Protocol Source Port Destination Port Gateway Queue Schedule Description ActionsPass IPv4 ICMP * * * * * none ICMP monitoring trafic only
Block IPv4+6 * * * * * * none Dismiss all other trafficThe objective is to avoid loading the pfSense logs with gibberish from the monitoring network.
Unless I clear the “Log packets matched from the default block rules in the ruleset” check box in “Status / System Logs / Settings”, the logs are full of entries such as:Block Oct 4 14:59:29 ADMINISTRATION [fe80::225:90ff:fecd:9428]:546 [ff02::1:2]:547 UDP
The second rule should drop everything: why I am still seeing this clutter in the logs.
2) I have an IPSEC interface with the following pass all rule:
Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
Pass&Log IPv4 * * * * * * none Pass all IPSEC traffic.
While I would expect all packets logged, I get EXACTLY one entry per L2TP session:
Pass Oct 4 15:36:37 IPsec “SOURCE”:63617 “WAN ADDRESS”:1701 UDP
This is great to verify that L2TP logging is working but I don’t understand that a single packet is being logged. Can someone explain?
3) I have an L2TP interface with the following pass all rule:
Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
Pass&Log IPv4 * * * * * * none Pass all L2TP traffic.
Nothing ever gets logged! I can ping any host or nmap the entire LAN segment, nothing is ever logged. Can someone explain?
4) I have the following two rules at the beginning of the ruleset for the LAN interface:
Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
Pass&Log IPv4 * * * 192.168.110.0/24 * * none Test
Pass&Log IPv4 * 192.168.110.0/24 * * * * none TestWhere the L2TP gateway is at 192.168.110.1 and the L2TP clients are in the subnet 192.168.110.128/25.
Nothing ever gets logged, although each live host respond to pings.
So, I am a bit at a loss to debug this L2TP/IPSEC installation. I can see that my test user logs in and out, that ICMP is working properly, but I cannot confirm that packets are actually routing or NATing in this setup.
Is there a fix for this logging issue?
Kind regards,
-
Would be so much easier to read with some pics..
But with 4) So your lan network is what exactly? Those rules make no sense. Why do you have a rule for dest network, and then another rule with that same network is the source. What is the network on your lan?? I if your l2tp clients are /25 why are the rules /24?
Rules are evaluated top down inbound into the interface, first rule to trigger wins - rest of the rules are not evaluated once a rule fires. So when would traffic be dest to this 192.168.110 network how would that ever be source into the interface??
So your logging a udp packet - do you think it should log ever single packet?? Log would be useless.. Just flooded…
-
Thank you for your reply.
The rules in 4) are designed to catch anything going to the default L2TP gateway which must be outside the client range: that made it /24 to keep everything in a single subnet.
As for the offending direction issue, the idea was to catch anything and everything coming in this interface with this IPv4 address range.
As for logging, if it doesn't log everything that satisfy the rule, there is an issue. This is my concern at this time.
Regards,
-
In this L2TP/IPSEC setup, the firewall rules in the interface tab do not seem to apply because of the underlying "incoming" assumption.
To log traffic from L2TP clients, I created a "pass all" FLOATING rule, interface L2TP/IPSEC, direction outgoing, all IPv4 protocols, TCP flags any, sloppy state.
That should take care of it, but TCP traffic is simply dropped. So I added a second rule specifically for TCP traffic. The rules are:
Pass&Log IPv4 * * * * * * none Secret Rule
Pass&Log IPv4 TCP * * * * * none Redundant Secret RuleIn summary:
- the IPSEC interface will only log the first packet of the L2TP exchange
- all the rules applying to L2TP clients seem to be enforced only in the out direction and must be enforced with a floating rule
- it is not possible to drop a specific interface from the logs using an explicit block all rule.
If anybody can enlighten me, I would be grateful.
Regards,