Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outgoing packets do not show up in log

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rnsc
      last edited by

      I have a default-deny setup with a rule to let out packets from port 3074 for an XBox.  On startup the XBox generates a packet to each of a large list of IPs which show up in the log, then starts to play.  NONE of the play packets show up in the log, even though the "log" box is checked on the only rule that would let them out (As evidenced by the startup packets being logged).

      I will outline my setup here, and attach my rules, the packet log, and the "pfsense System/Firewall" log, and the rule and NAT configuration screens.

      System has four interfaces:
      WAN:  DHCP to Roadrunner.  Address is 66.66.26.27
      LAN:    168.255.240.1/24 for High confidence trusted machines (Linux, Mac)
      YEL:    168.255.241.1/24 for Low confidence trusted machines (Windows with AV etc.)
      ORA:  168.255.243.1/24 for untrusted machines (XBox).  XBox is 168.255.243.16

      NAT:    Port forward of 3074 to XBox
                Outbound is set to manual so that ORA can be set to Static Port
                    LAN and YEL have Static Port set to No.

      Firewall Rules:

      I have an alias AllPrivateNets that includes the private nets and the 10.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 networks.  I see lots of machines trying to do bootp from my WAN, so I assume that somehow Roadrunner's architecture allows people's private nets to get at whatever my modem is hooked to.

      All interfaces end with a block (WAN) or reject (LAN, YEL, ORA) all.

      WAN:  Fireall rules forward !AllPrivateNets port 3074 to the xbox on ORA to accomodate the NAT Port-Forward

      LAN:  Has about twenty specific rules allowing "LAN net " to go to " <specific port="">".    3074 is not one of the ports allowed.

      YEL:  Identical to LAN except the destination has to be !AllPrivateNets, except for 22 and 631 are allowed to go anywhere.

      ORA:  Identical to LAN except the destination has to be !AllPrivateNets, except a rule is added to allow "ORA net 3074" to go to "!AllPrivateNets *"

      All three internal interfaces (LAN, YEL, ORA) have a DISABLED allow from the net any port to anywhere any port (e.g. LAN net * * *) to be handy in as a quick escape hatch.  This is located almost at the top, with only a restriction that DNS go to the interface address and an allow of NTP to the interface above them.  I either removed or flagged logging on this disabled rule (Don't remember which) and behaviour did not change.

      *** SO ***

      Is there some reason that packets SOMETIMES going from ORA 192.168.243.16 to the WAN without being logged despite the rule being marked for logging?

      It smells perhaps like a NAT thing, but nothing of what I understand about NAT would suggest that stuff should bypass the firewall rules (and so the logging) going out… just coming in.

      Thank you ahead of time for any suggestions or ideas.

      Attached please find:

      rules.debug.txt          rules.debug file
      1035.screen.txt          system log / firewall from GUI
      1035.packets.txt        packet capture
      rules.WAN.screen.txt    rules from GUI
      rules.LAN.screen.txt    rules from GUI
      rules.YEL.screen.txt    rules. from GUI
      rules.ORA.screen.txt    rules from GUI
      NAT.portforward.txt    from GUI
      NAT.Outbound.txt      from GUI

      --Ray
      rules.debug.txt
      1035.screen.txt
      1035.packets.txt
      rules.wan.screen.txt
      rules.lan.screen.txt
      rules.yel.screen.txt
      rules.ora.screen.txt
      NAT.portforward.txt
      NAT.Outbound.txt</specific>

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        afaik logging "allow-rules", logs states and not individual packets after a state has been established..

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Yes, the log checkbox will log the connection, not the individual packets.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • R
            rnsc
            last edited by

            Boy, that sure was alot of work for a simple answer!  Well, better that than the alternative…  Thank you!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.