Don't show traffic pass through /var/log/filter.log

monchito

Ok, thanks.

There is a command to show the packet that are drop, and not passing through the rules?

johnpoz

Huh? packet capture will show you everything being seen on the interface that meets your criteria set in the capture, IP, port, protocol, etc. Has nothing to do with if rules would pass the traffic or not.

monchito

johnpoz,

In GUI (Diagnostics -> Packet Capture) if i capture with filter : 10.13.0.20 , 8.8.8.8 . No output:
image url)

But in Cli : tcpdump -ni em0 host 10.13.0.20 get output

But independently of this, and this what i don't understand : **the packet 10.13.0.20 -> 8.8.8.8 : icmp no should match with the "deny" default rule ??? (at least) or "pass" if it match with another rule **

Thanks

johnpoz

What are you settings on the gui capture?

What is this interface em0? Do you have vlans setup on this interface?

Does the gui capture anything?

monchito

What are you settings on the gui capture?

What is this interface em0? Do you have vlans setup on this interface?

em0 (internal), no vlans

Does the gui capture anything?

yes, capture something similar, for example :

Thanks

monchito

@johnpoz,i realize that in gui put the wrong interface:

Now i see on GUI, but still no show "deny" or "pass" traffic on /var/log/filter.log

Thanks

johnpoz

Ok so the traffic is getting there.. And what do you set in logging. By default pass stuff is not logged. If you want passed traffic to be logged you would have enable that.

Did you turn off the default deny logging?

I have it off for example - because I only want to log specific stuff.

What are you rules on this interface? Do you have any rules on your floating tab?

monchito

Yes, firewall blocks logs are enabled

We have a lots of rules (floating and not floating), but for this and for diagnostic propose we have a floating rule:

johnpoz

Well that rule is not getting any hits. see the 0/0 - do you have quick enabled on it.

Is the traffic passing or not passing? Are you natting that, etc..

Nobody can really help you point out what you might have configured wrong when you show little tiny snippets of your setup without seeing the whole picture, etc.

Do you have quick set on that rule in floating? Do you have the correct interface selected? What other rules do you have above that in floating, what rules do you have on the actual interface, etc.

Is this 10.13.0/24 network downstream network? Or is that network directly attached to pfsense? If its downstream did you setup pfsense to nat it? Does pfsense know how to get to it via some other gateway? It could be just sending it out your wan without natting it, or not knowing how to send the traffic back even if there is an answer to it, etc.

I take it the actual problem is this 10.13.0.20 is trying to ping 8.8.8.8 and you get no answer? If its a downstream network and your not natting it, then no 10.13.0.20 wouldn't ever get to 8.8.8.8, even if you allowed it.. There are many pieces to this puzzle that are missing - for use to help you figure out what the actual problem is.

monchito

On these policy:

On "0/0 B" :

That's weird, i never use it

Yes, the interface on the policy is correct

Is this 10.13.0/24 network downstream network? Yes , there are hops to an MPLS, no directly attached, no NAT used by us (asking to ISP ), and pfsense cant reach to it.

From 10.13.0.20 -> to 8.8.8.8

I take it the actual problem is this 10.13.0.20 is trying to ping 8.8.8.8 and you get no answer?
10.13.0.20 no reach 8.8.8.8 because its cut in pfsense

Sorry me english and if i'm not clear in something

Thanks