Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Things not logged in FW

    Firewalling
    5
    11
    168
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      girkers last edited by

      No matter what FW I use I could never understand that when I cannot access something there is NEVER something in the FW Log to show me what is blocked.

      I can appreciate that it could be simply my understanding of how things work and happy to accept that, but when troubleshooting something it makes it really hard.

      It is mainly when trying to troubleshoot access between my home LAN and my IOT vLAN. E.g. I would open an app on my phone (connected to LAN) that is to access a device on IOT network and it just doesn't work. Yet there is nothing logged in the FW. If I create a rule for my phone with full access to the IOT vLAN and turn on logging I can obviously see what is happening.

      Things happens when devices are trying to go out to the WAN, just that there is nothing shown in the FW log.

      Could anyone please explain what is going on?

      Cheers,

      Girkers

      johnpoz 1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator @girkers last edited by

        Just because you can not access something doesn't mean the firewall blocked anything.. If its not blocked - then it wouldn't be logged.

        For example I could try and access httpd on server on some vlan from my lan - but if httpd is not listening on the IP, it won't work - but firewall didn't block anything. Or that httpd server could have a firewall that blocks it, pfsense didn't - so again no log on pfsense.

        Or maybe your trying to route traffic out some gateway, or a vpn vs letting it access your vlan - again nothing actually blocked - but whatever your trying to access is not going to work.

        G bingo600 2 Replies Last reply Reply Quote 0
        • G
          girkers @johnpoz last edited by

          @johnpoz

          I get that, you can't access something that doesn't exist.

          But what if I know for certain that a particular service is running on the other network, but still not able to access it. How would I go about troubleshooting that if there is nothing in the log?

          Gertjan 1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan @girkers last edited by

            @girkers : fire up a packet capture on the LAN interface where that service resides.
            Example, if its a web service on the OPT1 interface (on the OPT1 network), enter :
            OPT1 for the interface, port 80 for the port, TCP for the traffic protocol.

            A often seen reason why a service doesn't reply is because : you told it not to do so.
            Most devices uses firewalls that do not reply to requests out of their own network. The request traffic does come in, but silently dropped.

            If the device you're running has packet capture facilities, you could also start try to capture from there : you'll see, traffic comes in and it accepts from devices on the same network. But from other networks (LANs) or all the Internet (just another network)

            1 Reply Last reply Reply Quote 0
            • bingo600
              bingo600 @johnpoz last edited by

              @johnpoz said in Things not logged in FW:

              Just because you can not access something doesn't mean the firewall blocked anything.. If its not blocked - then it wouldn't be logged.

              I was bitten HARD once , wo any hits in the log.

              In my "infinite visdom" i allowed TCP+UDP any any as last rule on an IF.
              And i fought a site using Win-Server VPN for a loooong time , wo. any hits in the log.

              The Win10 VPN client wouldn't connect ....

              Then i allowed IP any any , and now it worked.

              My bet is that GRE was missing (allow TCP/UDP) , but i never saw a log hint ... Saying that GRE packets was blocked.

              johnpoz 1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator @bingo600 last edited by

                Your going to have to give us more to what is going on if you want help... I already went over multiple scenarios where something wouldn't work - but not be logged because nothing was blocked..

                So if you want help - then give the details.. And yes sniffing would show you exactly what is going on.

                NogBadTheBad 1 Reply Last reply Reply Quote 0
                • NogBadTheBad
                  NogBadTheBad Galactic Empire @johnpoz last edited by

                  Post screenshots of your LAN & IOT rules, you can just drop them in the chat window.

                  johnpoz 1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator @NogBadTheBad last edited by johnpoz

                    Yeah showing the actual rules would be good start.. And are you using a vpn on pfsense, or any of the devices involved in what your trying to do? Are you doing policy routing - the rules would be a good start.

                    What IPs are involved.

                    vlan X 192.168.1/24
                    vlan Y 192.168.2/24

                    Source 192.168.1.100, destination 192.168.2.200

                    What service are you trying to talk to on 2.200? What is the port?

                    Sniff on vlan X would show you client sending the traffic to get to vlan Y.. Sniff on vlan Y would show you pfsense sending the traffic to dest, etc.

                    If this is a iot device - does it even have a gateway set? See multiple times where say a camera has no gateway, so no you wouldn't be able to talk to it from a different vlan without source nat on pfsense. Nothing would be logged in pfsense, because traffic is allowed - pfsense has no control if destination device doesn't answer.

                    1 Reply Last reply Reply Quote 0
                    • G
                      girkers last edited by

                      I found that I had the recommended Reject rule at the bottom of both my LAN and IOT rules and once I turned logging on for these rules I could see what the firewall was blocking.

                      And before you keep going on about making sure that the remote device has the services running, in this case I had a nVidia Shield running on my IOT network and my phone which is on the LAN could not talk to it using the companion app. When I turned on logging of my reject rules I could see what port was being blocked and I could then let it through.

                      I do thank everyone for their assistance and things to look for in the future.

                      Gertjan johnpoz 2 Replies Last reply Reply Quote 0
                      • Gertjan
                        Gertjan @girkers last edited by

                        @girkers said in Things not logged in FW:

                        And before you keep going on about making sure that the remote device has the services running

                        He had to, as you weren't mentioning neither showing you had your own ( non logging, blocking ) firewall rules on your LAN 😊
                        It was either that, or the device not accepting traffic.

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator @girkers last edited by johnpoz

                          @girkers said in Things not logged in FW:

                          recommended Reject rule

                          And where is that recommended? If you would of showed us that from the start - could of answered you question in the first post..

                          That is not the default for lan by any means.. No info ends up with yet again multiple posts to pull info to try and help someone.. To solve their own pebkac problem.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy