1) How to get rid of multicast alarms!? 2) faulty rule behavoir
-
I have an awful lot of multicast related alarms in the log. Especially alarms telling me that address '224.0.0.22' is blocked. I want to get rid of them!
The block alarm below
Seems to be related to the following pass rules (also without logging).
So a pass rule should not raise a block alarm
A rule without logging should not generate logging -
Your problem is stemming from multicast packets having the IP Options flag set. See the official documentation here: https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options. The traffic is not matching your pass rule and is instead being handled by the default deny rule.
This is newly fixed "improper" former behavior. In the past, the firewall did not discriminate packets with IP Options set, but really should have. That was fixed a while back and resulted in the log messages you are seeing. Adding a PASS rule is not enough. You must enable the IP Options match as detailed in the docs.
-
I will study the doc trying to find out how to work around this, however I stick to my conclusion that this is terribly wrong behavoir.
Of course the firewall needs to discriminate packets the correct way, but the resulting effect is definitively not !!
-
@louis2 said in 1) How to get rid of multicast alarms!? 2) faulty rule behavoir:
I will study the doc trying to find out how to work around this, however I stick to my conclusion that this is terribly wrong behavoir.
Of course the firewall needs to discriminate packets the correct way, but the resulting effect is definitively not !!
There was a discussion thread about this behavior change when it came out. You can probably find it if you search. I think there may be multiple threads about it over the last year or so. My memory may be faulty, but I think the new behavior came out in pfSense 2.7.2. It was due to an upstream bug fix in
pf, the firewall packet filter engine.
