0.0.0.0 IGMP spam in WAN log & LAN traffic being blocked
-
Hello Everyone,
I have been running PFSense for a while on my network and it has been great so far. I have some minor issues that need to be ironed out, so I thought I would start with the firewall log being spammed with superfluous entries.
Every few minutes the firewall records a blocked IGMP connection from 0.0.0.0 on the WAN to 224.0.0.1 on the LAN side - its filling up the log and makes it difficult to manage. I tried making a rule to hide entries from 0.0.0.0 from the log but it did not work. The traffic is being blocked by the built in bogon rule.
The other minor issue is how PFSense is terminating legitimate LAN traffic - its mostly HTTPS sessions on port 443. Its not stopping anything from working, just fills up the log with LAN entries. Google sites or Amazon AWS hosted sites seem to have this happen the most.
Thanks!
-
Yeah, I see those entries as well since 2.2 or 2.2.1
I get them from 0.0.0.0 on some local interfaces and from one IF address (10.0.3.1) directly.
Going to look at it again after 2.2.2 is out. IIRC there were issues with IGMP on redmine.
 -
Why would you be blocking bogon on a lan interface?? Your lan rules only have allow your lan source do they not, so why would you need to block bogon?
Yeah 0.0.0.0/8 is in bogon, so that would be blocked.. What interface is LADEN? Clearly that source is private - is that a wan interface and your seeing traffic from a private on it? Are you behind a router or does you wan have public on it?
-
Yes, my WAN has a public IP (PPPoE via DSL).
All but OpenVPN are local VLAN interfaces as can be seen in the screenshot below.
"Laden" is German for "store".
 -
Hi!
I had to change my 'DSL-modem (now: Draytek Vigor 130 in modem mode) and since then (2 days) I have spam from 0.0.0.0 to 255.255.255.255 port 4944 on the WAN interface of my pfSense (2.2.1 nano 386).
I have a block rule without logging on top of the WAN rules, but the log spamming continues…
 -
there is nothing you can do with that because the block is happening before your rule not to log.. 0.0.0.0/8 is is in bogon.. Turn off bogon logging if you don't want to see the noise it blocks or don't block it and then your rule would block it without log before it hits the default rule that blocks
as to traffic to 4944?? Have no idea what that is.. I would guess p2p.. but broadcast? I would sniff the traffic and look to what it is, might give you some clue how to turn it off if coming from your modem itself, etc.. Or atleast info to ask your isp about, etc.
-
2chemlud, your logs clearly show UDP traffic to a broadcast address. This thread is about IGMP to a multicast address. Please don't hijack.
-
same problem traffic blocked by bogon because of the source IP being 0.0.0.0 - just don't log bogon.. Problem solved.
-
Not logging bogons doesn't help with me. It even says "The rule that blocked this traffic is: " with no bogons or whatsoever logging.
Basically I wonder why my pfSense install sends out IGMP requests on 0.0.0.0 or in one case from its IF address. That's regardless of activating the IGMP proxy or not. Even the switches do not have IGMP snooping or even querier turned on.
I see this in the office (2.2.1) and at home (2.2) with slightly different behavior, both Nano-installs on PCengines APU boards. The amount of logged "noise" renders the log completely useless. There's hardly anything else in there. -
Stop wasting your time. This IGMP log flood does NOT come from anything user configured and CANNOT be stopped by anything user configured. https://redmine.pfsense.org/issues/4383
The only way to hide the spam from the GUI is reverting the patch that made the log entries visible. However, the firewall logs will STILL be flooded with the junk, it won't make the actual logging go away.
-
So, the IGMP 0.0.0.0 WAN to LAN issue is a bug in PFSense that we cant work around? According to that bug report the target release for the patch is 2.2.3, which I assume is some time away.
I have attached what it looks like in my log.
Also, LAN traffic being blocked is also flooding the log in a similar fashion to the 0.0.0.0 IGMP traffic. The default firewall rule set is in place. Akamai, Microsoft, and Google are the most common destinations that end up being spammed in the log.
I did set the firewall optimization to Conservative to try to get legit idle sessions to stay open, but that did not seem to make much of a difference.
-
Yes, IGMP is a known bug as linked above.
The other thing is out of state trafic non-issue and and completely offtopic here.
-
This IGMP log flood does NOT come from anything user configured and CANNOT be stopped by anything user configured.
Does that mean that every installation since 2.2. is affected? I somehow doubt that, not seeing it with other installs at clients.
-
Whether or not you see it depends on whether or not you are being hit by IGMP traffic.
https://forum.pfsense.org/index.php?topic=88029.0
-
Starts to make sense, thanks.
I know which install I surely will not update until this is solved… -
Hi!
I had to change my 'DSL-modem (now: Draytek Vigor 130 in modem mode) and since then (2 days) I have spam from 0.0.0.0 to 255.255.255.255 port 4944 on the WAN interface of my pfSense (2.2.1 nano 386).
I have a block rule without logging on top of the WAN rules, but the log spamming continues…
Solved the issue with my Draytek Vigor 130 by UNmarking "Broadcast DSL status to LAN" under ->System Maintenance->Management
-
Cool! Any way to access the Draytek through the pfSense or do I need to remove it before I can reach the Draytek's weg GUI?
-
Cool! Any way to access the Draytek through the pfSense or do I need to remove it before I can reach the Draytek's weg GUI?
Yes: https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall ;)
-
The root cause here is fixed in 2.2.3.
-
Ok, thanks for your 2.2.3 note, but the thread was hijacked ;)
2chemlud, your logs clearly show UDP traffic to a broadcast address. This thread is about IGMP to a multicast address. Please don't hijack.
