Things not logged in FW
-
No matter what FW I use I could never understand that when I cannot access something there is NEVER something in the FW Log to show me what is blocked.
I can appreciate that it could be simply my understanding of how things work and happy to accept that, but when troubleshooting something it makes it really hard.
It is mainly when trying to troubleshoot access between my home LAN and my IOT vLAN. E.g. I would open an app on my phone (connected to LAN) that is to access a device on IOT network and it just doesn't work. Yet there is nothing logged in the FW. If I create a rule for my phone with full access to the IOT vLAN and turn on logging I can obviously see what is happening.
Things happens when devices are trying to go out to the WAN, just that there is nothing shown in the FW log.
Could anyone please explain what is going on?
Cheers,
Girkers
-
Just because you can not access something doesn't mean the firewall blocked anything.. If its not blocked - then it wouldn't be logged.
For example I could try and access httpd on server on some vlan from my lan - but if httpd is not listening on the IP, it won't work - but firewall didn't block anything. Or that httpd server could have a firewall that blocks it, pfsense didn't - so again no log on pfsense.
Or maybe your trying to route traffic out some gateway, or a vpn vs letting it access your vlan - again nothing actually blocked - but whatever your trying to access is not going to work.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
I get that, you can't access something that doesn't exist.
But what if I know for certain that a particular service is running on the other network, but still not able to access it. How would I go about troubleshooting that if there is nothing in the log?
-
@girkers : fire up a packet capture on the LAN interface where that service resides.
Example, if its a web service on the OPT1 interface (on the OPT1 network), enter :
OPT1 for the interface, port 80 for the port, TCP for the traffic protocol.A often seen reason why a service doesn't reply is because : you told it not to do so.
Most devices uses firewalls that do not reply to requests out of their own network. The request traffic does come in, but silently dropped.If the device you're running has packet capture facilities, you could also start try to capture from there : you'll see, traffic comes in and it accepts from devices on the same network. But from other networks (LANs) or all the Internet (just another network)
-
@johnpoz said in Things not logged in FW:
Just because you can not access something doesn't mean the firewall blocked anything.. If its not blocked - then it wouldn't be logged.
I was bitten HARD once , wo any hits in the log.
In my "infinite visdom" i allowed TCP+UDP any any as last rule on an IF.
And i fought a site using Win-Server VPN for a loooong time , wo. any hits in the log.The Win10 VPN client wouldn't connect ....
Then i allowed IP any any , and now it worked.
My bet is that GRE was missing (allow TCP/UDP) , but i never saw a log hint ... Saying that GRE packets was blocked.
-
Your going to have to give us more to what is going on if you want help... I already went over multiple scenarios where something wouldn't work - but not be logged because nothing was blocked..
So if you want help - then give the details.. And yes sniffing would show you exactly what is going on.
-
Post screenshots of your LAN & IOT rules, you can just drop them in the chat window.
-
Yeah showing the actual rules would be good start.. And are you using a vpn on pfsense, or any of the devices involved in what your trying to do? Are you doing policy routing - the rules would be a good start.
What IPs are involved.
vlan X 192.168.1/24
vlan Y 192.168.2/24Source 192.168.1.100, destination 192.168.2.200
What service are you trying to talk to on 2.200? What is the port?
Sniff on vlan X would show you client sending the traffic to get to vlan Y.. Sniff on vlan Y would show you pfsense sending the traffic to dest, etc.
If this is a iot device - does it even have a gateway set? See multiple times where say a camera has no gateway, so no you wouldn't be able to talk to it from a different vlan without source nat on pfsense. Nothing would be logged in pfsense, because traffic is allowed - pfsense has no control if destination device doesn't answer.
-
I found that I had the recommended Reject rule at the bottom of both my LAN and IOT rules and once I turned logging on for these rules I could see what the firewall was blocking.
And before you keep going on about making sure that the remote device has the services running, in this case I had a nVidia Shield running on my IOT network and my phone which is on the LAN could not talk to it using the companion app. When I turned on logging of my reject rules I could see what port was being blocked and I could then let it through.
I do thank everyone for their assistance and things to look for in the future.
-
@girkers said in Things not logged in FW:
And before you keep going on about making sure that the remote device has the services running
He had to, as you weren't mentioning neither showing you had your own ( non logging, blocking ) firewall rules on your LAN
It was either that, or the device not accepting traffic. -
@girkers said in Things not logged in FW:
recommended Reject rule
And where is that recommended? If you would of showed us that from the start - could of answered you question in the first post..
That is not the default for lan by any means.. No info ends up with yet again multiple posts to pull info to try and help someone.. To solve their own pebkac problem.
