• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Multiple users] 24.03.r.20240410.1729 IGMP block gets logged

Plus 24.03 Development Snapshots (Retired)
5
12
974
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    Bob.Dig LAYER 8
    last edited by Bob.Dig Apr 12, 2024, 6:52 AM Apr 11, 2024, 7:52 AM

    Maybe related to the RC, I just upgraded the first time.

    🔒 Log in to view

    🔒 Log in to view

    🔒 Log in to view

    I recreated that rule but it still got logged.

    1 Reply Last reply Reply Quote 1
    • L
      Lurick LAYER 8
      last edited by Apr 11, 2024, 12:22 PM

      I noticed the same earlier on a previous beta build myself but didn't think much of it at the time. I haven't updated to the RC yet but it's definitely been an issue before.

      B 1 Reply Last reply Apr 11, 2024, 12:55 PM Reply Quote 1
      • B
        Bob.Dig LAYER 8
        last edited by Apr 11, 2024, 12:52 PM

        Now I noticed it again, it is annoying. But only on one interface.

         	Apr 11 14:46:37 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:46:37 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:46:37 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:46:37 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:46:37 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:46:37 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:46:37 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:35:24 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:35:24 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:35:24 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 14:35:24 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 13:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 13:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 13:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 13:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 13:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:17:46 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:17:46 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:17:46 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:17:46 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:17:46 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:17:46 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:17:46 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:02:52 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:02:51 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:02:51 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:02:51 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:02:51 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:02:51 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 12:02:51 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:35:24 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:35:24 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:35:24 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:35:24 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:11:05 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:11:05 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:11:05 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:11:05 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:11:05 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:11:05 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:11:05 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:47 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:47 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:47 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:47 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:47 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:47 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:47 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:11 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:10 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:10 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:10 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:10 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:10 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 11:02:10 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 10:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 10:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 10:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 10:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 10:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 09:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 09:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 09:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 09:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP
        	Apr 11 09:35:25 	ISWITCH 	allow ISWITCH to any rule (1712820132) 	192.168.9.30		224.0.0.22		IGMP 
        

        1 Reply Last reply Reply Quote 0
        • B
          Bob.Dig LAYER 8 @Lurick
          last edited by Apr 11, 2024, 12:55 PM

          @Lurick said in 24.03.r.20240410.1729 IGMP block gets logged:

          I noticed the same earlier on a previous beta build myself

          I am on hyper-v, that is an VM-NIC connected to an internal switch with many vlans. I will try changing some settings.

          G 1 Reply Last reply Apr 11, 2024, 1:03 PM Reply Quote 0
          • G
            Gertjan @Bob.Dig
            last edited by Apr 11, 2024, 1:03 PM

            @Bob-Dig

            Using bare bone native "SG 4100" here, using 23.04-RC :

            🔒 Log in to view

            The rule with ID "1712824368" is the first rule here :

            The 🔒 Log in to view

            I've made a pass rule that is NOT logging.
            Still, when the firewall encounters this protocol, it logs ...
            So, there's some new logic going on in the inside of pf : if protocol is IGMP, then do if the log flag is set regardless ...

            My rules.debug looks fine :

            pass  in  quick  on $PORTAL inet proto igmp  from any to any ridentifier 1712824368 keep state label "USER_RULE: GIMP" label "id:1712824368"
            

            => no log flag.

            There is a a low level thing going on, not pfSense GUI related.
            Maybe it was even there before I upgraded to the 24.03-RC ..... I have to admit that I checked a lot, but not the firewall logs (as I don't have any firewall rule logging).

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 3
            • D
              dennypage
              last edited by Apr 11, 2024, 6:33 PM

              Flooding my logs as well, even with an explicit pass.

              1 Reply Last reply Reply Quote 0
              • M
                marcosm Netgate
                last edited by Apr 12, 2024, 5:42 PM

                IGMP rules require allowing IP options to actually pass, hence why it's dropped on 24.03. Presumably it would be silently dropped in 23.09.1 without setting IP options on the rule (even with the log entry saying pass). Perhaps someone with an IGMP setup can confirm.

                D 2 Replies Last reply Apr 12, 2024, 7:20 PM Reply Quote 2
                • D
                  dennypage @marcosm
                  last edited by Apr 12, 2024, 7:20 PM

                  @marcosm said in [Multiple users] 24.03.r.20240410.1729 IGMP block gets logged:

                  IGMP rules require allowing IP options to actually pass, hence why it's dropped on 24.03. Presumably it would be silently dropped in 23.09.1 without setting IP options on the rule (even with the log entry saying pass). Perhaps someone with an IGMP setup can confirm.

                  The packets are shown as being blocked, but the rule listed is a pass rule which says do not log. It seems a bug either way.

                  That said, your supposition is correct, checking Allow IP options on the IGMP rule does work.

                  1 Reply Last reply Reply Quote 1
                  • D
                    dennypage @marcosm
                    last edited by Apr 12, 2024, 8:58 PM

                    @marcosm Thinking about this further...

                    I don't have a serious issue with the fact that an IGMP rule needs the box checked to be functional, however I think it would be a good thing to note this in the UI when IGMP is selected.

                    The most significant issues to me surround the fact that the firewall log indicates the packet was blocked by a pass rule. This is concerning for two reasons. The first concern is that there is no indication of why the packet was actually blocked in the log, which makes things difficult to track down. The second and more significant concern is the implication that rule processing stopped upon hitting the pass rule, effectively treating it as a Quick rule, rather than proceeding down the list.

                    In short, I would expect to see the "Default deny rule" instead.

                    Others may have differing opinions, which I would also like to hear.

                    1 Reply Last reply Reply Quote 1
                    • M
                      marcosm Netgate
                      last edited by Apr 12, 2024, 9:25 PM

                      The rule matching doesn't seem to take into account IP options; and given that all but floating rules have "quick" by default, the matching doesn't continue on to other rules. This is why you don't see the default deny rule as the blocker.

                      I do agree the the logging itself in this case is unexpected. I've opened a redmine issue with the details:
                      https://redmine.pfsense.org/issues/15400

                      It does beg the question what's preferred:

                      • drop the packet and respect the rule logging (previous behavior)
                      • drop the packet and log it even when the rule is to pass without logging (new behavior)

                      I imagine the new behavior is intended since otherwise the issue would be effectively hidden from the user. The "quirk" here is that IP options are not considered when rule matching, though that may also be intended (maybe for performance?).

                      D 1 Reply Last reply Apr 12, 2024, 10:55 PM Reply Quote 0
                      • D
                        dennypage @marcosm
                        last edited by Apr 12, 2024, 10:55 PM

                        @marcosm My personal opinion is that the new behavior is slightly more useful, but what would really make it even better would be an indication in the log of the cause.

                        Like in the firewall log Rule column, appending an indicator to the description:

                        Allow IGMP (1457745313) [IP Options disallowed]
                        

                        This would be useful in other situations as well.

                        Probably a pain to implement though... 😓

                        1 Reply Last reply Reply Quote 0
                        • B
                          Bob.Dig LAYER 8
                          last edited by Bob.Dig Apr 13, 2024, 6:46 AM Apr 13, 2024, 6:40 AM

                          I made a block rule for IGMP with no logging and my logs are clean again. I am missing the knowledge to have an opinion on this situation.

                          1 Reply Last reply Reply Quote 0
                          • G Gertjan referenced this topic on Apr 17, 2024, 11:53 AM
                          • B Bob.Dig referenced this topic on Apr 17, 2024, 3:26 PM
                          • G Gertjan referenced this topic on Apr 24, 2024, 2:52 PM
                          • D dennypage referenced this topic on May 1, 2024, 5:18 PM
                          • D dennypage referenced this topic on May 1, 2024, 5:23 PM
                          1 out of 12
                          • First post
                            1/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.