Trying to Learn what my log is saying


  • I am new to Netgate, and trying to learn more on how to best configure my PFSense router.
    What is it when I have deny's on my LAN, and they are not IP Addresses?:
    Aug 20 20:31:19 LAN Default deny rule IPv6 (1000000105) [fe80::7683:c2ff:fe13:77d4]:33819 [ff02::1]:10002 UDP
    Aug 20 20:31:11 LAN Default deny rule IPv6 (1000000105) [fe80::7683:c2ff:fe15:38a3]:43626 [ff02::1]:10002 UDP


  • Hi,

    On the log settings ( Status > System Logs > Settings ) this option is checked ( activated ) :

    ca1c67ed-8601-49be-bfed-7a932a07c6b1-image.png

    Every interface has a hidden, final (last) firewall rule : it blocks everything.
    Your own rules - if any, are visible in the GUI, are above this rule, as you created them.

    This :

    @W0GEN said in Trying to Learn what my log is saying:

    LAN Default deny rule IPv6

    is the default IPv6 bock rule on the LAN interface in action : some IPv6 - a device using the auto assigned IPv6 fe80::7683:c2ff:fe15:38a3 want to communicate with the router - pfSense, and you have not any rules on your LAN interface that let pas this IPv6 UDP traffic.

    Understand that even if you think you are not using IPv6, all modern OS's today do use it for years to communicate among all devices on the same network segment - your LAN in this case.

    To stop the "noise" , stop the default deny rule from logging == uncheck the option.
    Or make your IPv6 actually work, as it is there to replace IPv4 eventually.

    To see more about "who and what " : check the file /tmp/rules.debug and look for the ID 1000000105.

    You will find this :

    ....
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in  inet all tracker 1000000103 label "Default deny rule IPv4"
    block out  inet all tracker 1000000104 label "Default deny rule IPv4"
    block in  inet6 all tracker 1000000105 label "Default deny rule IPv6"
    block out  inet6 all tracker 1000000106 label "Default deny rule IPv6"
    .....
    

    The third block rule is your rule in action.
    inet6 = IPv6.
    and the label is the text identifier you saw : ""Default deny rule IPv6"

    This file is the actual rule set loaded into the firewall.
    You control some parts with the GUI firewall rules Firewall > Rules > ........ (and NAT rules, etc)


  • Thank you Very Much! this helps a lot!!!
    Bill