Can't disable logging for LAN allow all rule
-
Hi,
I got a TAC Lite subscription today for a OPNsense DEC740 running pfSense CE 2.7.2. The primary motivation was that the AMD 10G NICs were not able to handle any of the SFP+ modules I threw at it. Same with FreeBSD 14.1 but with FreeBSD 15-CURRENT from a few days ago it does work (I got 10Gbit up/down internet yesterday and have now use of the 10G NICs).
The router was running 2.7.2 CE with the WAN and LAN configured on the Intel i210 NICs before I got fiber to the flat.
The Upgrade to 23.09 and then to 24.03 went excellent, no issues. But still no luck with the SFP+ modules. I was well aware that this may happen, all ok.
After the upgrade to 24.08-DEVELOPMENT the SFP+ NICs were working and today I restored the CE config from a GoWin R86S-U4 that was running since the fiber upgrade from yesterday. With WAN on the ax0 interface. All went smooth and iperf3 on the router itself to the ISP maxes out the 10G (very basic setup).
As the second step I moved the LAN from the 1G igb1 interface to the 10G ax1 interface. That went well too and it runs as it should.
The only thing is that slightly wrong: the default LAN allow rule won't stop logging. It was disabled but keeps logging. Switching logging on and off again didn't help. Switching logging on and off for a VLAN (for IoT) works as expected.
Sorry for all the long preamble, maybe the fact that I reassigned the LAN interface has anything to do with?
-
Some things to check - feel free to share the output/results:
The logged traffic should have the rule ID that processed it. Make sure that rule ID matches the one from your default rule. You can get that from the rule config at the bottom of the page. Then run the following command from Diagnostics > Command Prompt:
grep "rule id here" /tmp/rules.debugAlso compare the config difference between enabling/disabling logging for the rule. This can be done from Diagnostics > Configuration History.
-
@patient0 said in Can't disable logging for LAN allow all rule:
the default LAN allow rule won't stop logging
you turned off logging of allowed where?
Here?
Or do you have logging on the specific rule on and off?
-
@johnpoz I have disabled both the log packets default block and pass, that works fine.
It really is the 'Default allow LAN to any rule' (rule nr 100000101)
Keeps logging (screenshot from right now):
And in the rule 100000101 the logging is off:
For the IPv6 default LAN allow rule it does work.
And I just checked /tmp/rules.debug and logging is not enabled for this rule:
[24.08-DEVELOPMENT][root@home.arpa]/root: fgrep 100000101 /tmp/rules.debug pass in quick on $LAN inet from $LAN__NETWORK to any ridentifier 0100000101 keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101"That's odd, or I miss something.
-
@patient0 said in Can't disable logging for LAN allow all rule:
That's odd, or I miss something.
No and yes.
It's the IGMP protocol that makes the "don't log" rules still log this protocol. That's new since 24.x, and a bit awkward.
As soon as 24.03 development finished, this popped up. It's not a 24.08 development thing I guess, as this behavior was already there.
As this is a already know subject, the solutions are also on the forum.Hit the forum search button - see above - enter IGMP and you'll find some identical threads, questions and a solution.
-
@Gertjan thanks a lot, not sure why I sometimes forget to search the forum :/
Maybe it makes sense to delete this thread, as it may just confused people as it has nothing to do with 24.08 DEV?
-
@patient0 or if you would of posted sample of what you were seeing, that igmp block we could of told you right away what it was ;)
-
It is confusing. I was confused when I first saw it. Particularly because it logs blocked traffic by a pass rule.
