Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IGMP IPV4 endless log-messages / rules not working :(

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 6 Posters 1.5k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      louis2
      last edited by

      I have a media server and as a consequence there are multicast packages.

      • The Media server is running in one of the vlans.
      • a PIMD package takes care that the media server is accessible from some other vlan's

      That used to work without firewall log-messages, up to the moment
      I did install the actual 24.03-RELEASE !!

      However at this moment I have an endless stream of blocking messages in the log 😧 😧
      Good and strange thing is that despite that, the media streaming is still working!

      Situation is like this:

      Devices are sending IGMP packages with destinations like:
      224.0.0.1 to all nodes on the subnet
      224.0.0.2 to all routers on the subnet
      224.0.0.22 IGMP version 3

      Despite that those messages are local to the (v)lan's, I defined pass rules for those packages.
      I tried:

      • pass IPV4 IGMP to those addresses
      • pass IPV4 IGMP to those addresses with advanced option set
      • pass IPV4 any type to those address
      • defined a floating rule for one of the vlan's at the top of the float rule list passing those addresses (both directions)

      Nothing worked!

      • the pass rule did not pass but block!
      • or there was an internal / not user defined rule blocking!

      Also very strange ..... the floating pass rule .....
      is blocking all messages ... it seems ... (the rules stops messages related to other interfaces/vlan's disappear)

      As mentioned, the audio streaming functionality works, despite the blocked packages !!
      All very weird!

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        New behavior in pfSense Plus 24.03. Check the docs here: https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options.

        And go read through this recent post: https://forum.netgate.com/topic/187958/igmp-strangeness?_=1715171098186.

        L 1 Reply Last reply Reply Quote 0
        • L Offline
          louis2 @bmeeks
          last edited by

          @bmeeks

          I did read the pages the links refer to and made some comments.

          The bottom line. I am still totally confused, and my impression is that it does not work correct

          GertjanG 1 Reply Last reply Reply Quote 0
          • dennypageD Offline
            dennypage
            last edited by dennypage

            Multicast will continue to work without IGMP, it will just be a little less efficient.

            If you want IGMP, you need a rule that passes IGMP with IP options set. If you are want a rule per interface, it would look like this:

            Screenshot 2024-05-08 at 08.39.56.png
            Screenshot 2024-05-08 at 08.39.02.png


            Alternatively, if you have multiple LAN segments, you could also use a floating rule which would look like this:

            Screenshot 2024-05-08 at 08.43.53.png

            Screenshot 2024-05-08 at 08.44.00.png


            The important part is to check the box for Allow IP options.

            Edit: Be sure the IGMP pass rules come before any other pass rules that might match the IGMP packets. I.E. if you have a "pass all" kind of rule, the IGMP rule needs to come before that.

            1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @louis2
              last edited by Gertjan

              @louis2

              To add what @dennypage showed : the (a possible) final result:

              288675e3-4fe1-4205-b8d6-d4a04efcefb5-image.png

              Don't mind the first rule, it's their for a NUT reason.

              Rule 2 and 3 are the only ones you'll ever need. They are pass all rules. I use two rules so I can see how much IPv4 and IPv6.

              Note the presence of the black gear wheel on both rules : the "Allow IP options" is now checked.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              dennypageD L 2 Replies Last reply Reply Quote 0
              • dennypageD Offline
                dennypage @Gertjan
                last edited by

                @Gertjan FWIW, I would not recommend adding Allow IP options to a pass all rule. I would restrict this to IGMP.

                There are good reasons that firewalls drop packets with IP options by default.

                L 1 Reply Last reply Reply Quote 0
                • L Offline
                  louis2 @dennypage
                  last edited by

                  @dennypage @Gertjan @stephenw10

                  It does not work here also with IP-options set! Let me start with that.
                  However:

                  That a pass rule can behaves like a block rule, "more more than bizar" !!

                  IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!
                  Letting the rule change in a block rule is simply bizar !!!!!

                  But even it I put the IGMP pass rule with options set, put as very first rule in floating table, it does not work!

                  GertjanG dennypageD 3 Replies Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan @louis2
                    last edited by

                    @louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

                    "more more than bizar" !!

                    I know, I know.
                    I'm like you : wanted to stop my logs being filled up with 'useless' info.
                    This trick did it.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • L Offline
                      louis2 @Gertjan
                      last edited by

                      @Gertjan

                      Gertjan, in my personal vision, I am just as concerned about threats from inside my network as for threats coming from the internet.

                      So my rule sets are very strict also for traffic leaving the network!

                      • for security reasons first
                      • blocking the option that things are collected from the internet for bad, commercial or good reasons ....
                      • for privacy reasons

                      So I would never ever define a rule like "every thing outgoing allowed.
                      Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

                      My opinion of course!

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • dennypageD Offline
                        dennypage @louis2
                        last edited by

                        @louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

                        It does not work here also with IP-options set! Let me start with that.

                        Please post screen shots of your rules.

                        1 Reply Last reply Reply Quote 0
                        • dennypageD Offline
                          dennypage @louis2
                          last edited by

                          @louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

                          IP-options is necessary for a match, than the rule without IP-options, should simply not match should not do any thing !!

                          To be clear, IP options are not matchable like protocols, addresses, ports, etc.

                          L 1 Reply Last reply Reply Quote 0
                          • L Offline
                            louis2 @dennypage
                            last edited by

                            @dennypage

                            I think I fixed it. The following way:

                            1. I did add as first rule for the vlan:
                              4e05d9d7-b8e2-449e-9001-96971c4f14bd-image.png

                            2. I did reset the states via Diagnostics / States / Rest States

                            Just defining the rule, was not enough !!!

                            dennypageD 1 Reply Last reply Reply Quote 0
                            • dennypageD Offline
                              dennypage @louis2
                              last edited by

                              @louis2 Glad you got it working. Thank you for letting me know that you had to perform Reset States. That may help others.

                              1 Reply Last reply Reply Quote 0
                              • GertjanG Offline
                                Gertjan @louis2
                                last edited by

                                @louis2 said in IGMP IPV4 endless log-messages / rules not working :(:

                                So I would never ever define a rule like "every thing outgoing allowed.
                                Next to that the rules allow all subsets to freely communicate with each other. No way !! Never !!

                                I fully agree with that.
                                I've kept the default Netgate LAN firewall rules because I have the luxury of totally trusting all my LAN devices, I don't need to block something from going outside.
                                Beyond the devices, I can also trust the users that uses these devices. I'm lucky, probably.

                                Closing all destination ports, leaving open only port 53,80,443,110,143,995,992, 993, 143 doesn't give me more security, as 99% of all threads are downloaded by users over 443 (a web browser using https) or by mail, for example IMAP SSL, port 993, a mail client.

                                My LAN is my trusted network, and they could access to my other, less trusted networks, like a captive portal, or my server network. These networks can not access my trusted LAN.
                                My non trusted networks have devices I need to admin, like access points etc. I can access these from my LAN.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                dennypageD 1 Reply Last reply Reply Quote 0
                                • dennypageD Offline
                                  dennypage @Gertjan
                                  last edited by

                                  @Gertjan In this case, it's a bit more than just passing ports. Allowing IP Options on a pass all rule opens your firewall to these options as well. IMO, you want to be very specific in the circumstance that you allow IP options.

                                  I would have a preference to silently dropping all packets with IP options, including IGMP, rather than allowing all IP packets with options.

                                  GertjanG luckman212L 2 Replies Last reply Reply Quote 0
                                  • GertjanG Offline
                                    Gertjan @dennypage
                                    last edited by

                                    @dennypage said in IGMP IPV4 endless log-messages / rules not working :(:

                                    you want to be very specific in the circumstance that you allow IP options.

                                    I wanted to clean my logs. I've chosen the fast way out - not necessarily the best one.

                                    No "help me" PM's please. Use the forum, the community will thank you.
                                    Edit : and where are the logs ??

                                    1 Reply Last reply Reply Quote 0
                                    • luckman212L Offline
                                      luckman212 LAYER 8 @dennypage
                                      last edited by luckman212

                                      Hello from 2025.

                                      On my 6100 running 25.07, I'm noticing these IGMP packets getting blocked (they were probably there all along but since I'm troubleshooting multicast issues I happened to be digging around and saw them)

                                      I haven't collected packet dumps of this traffic yet, but based on the LAN IPs of the 2 hosts below, I identify them as my main Mac workstation and a Windows 11 VM, so it's not platform-specific.

                                      3ccfcce2-6eab-44c3-8cd2-03e26a108b2e-image.png

                                      806dd394-6c1e-4be8-a55d-057d6df6a55e-image.png

                                      That "inet access" rule is the very bottom of my ruleset on the LAN interface, and looks like this

                                      c1e85bdc-cd2a-4992-8b6b-6dd5c2e45554-image.png

                                      What's the best course of action here?

                                      • Make a separate rule just above it that allows ip-options just for protocol IGMP?
                                      • Just ignore them?
                                      • Something else?

                                      Do I need IGMP Proxy enabled for any reason?

                                      8e443c13-b56f-4346-bc83-5a1e42b1a433-image.png

                                      edit: I decided to go with a rule to pass IGMP on the LAN for now. It's matching...

                                      5222e456-08e0-4902-a037-90908710eb88-image.png

                                      444a5809-2836-4362-8112-ffaf610785cb-image.png

                                      Thinking about this, I'm not sure that this actually does anything other than tidy the logs. Once the IGMP packet hits my pfSense, I don't think it "goes" anywhere useful.

                                      dennypageD 1 Reply Last reply Reply Quote 0
                                      • dennypageD Offline
                                        dennypage @luckman212
                                        last edited by

                                        @luckman212 I have this in Firewall / Local / Rules:
                                        Screenshot 2025-08-18 at 14.25.48.png

                                        Screenshot 2025-08-18 at 14.28.26.png

                                        There really isn't much reason to suppress IGMP packets in the local network.

                                        johnpozJ luckman212L 2 Replies Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator @dennypage
                                          last edited by

                                          @dennypage while I agree - pfsense isn't going to do anything with it.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                                          dennypageD 1 Reply Last reply Reply Quote 0
                                          • dennypageD Offline
                                            dennypage @johnpoz
                                            last edited by

                                            @johnpoz said in IGMP IPV4 endless log-messages / rules not working :(:

                                            while I agree - pfsense isn't going to do anything with it.

                                            Depends upon what packages you are using I guess. From a switch POV, IGMP is pertinent for Avahi, mDNS-Bridge, mcast-bridge (not yet released), IGMP proxy and pimd. Perhaps others that I am not aware of.

                                            IGMP is a goodness that prevents unnecessary multicast packet flooding. In my view, it should always be enabled if available.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.