Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - GreatWhiteDan

Pages: [1]
Well I started with the filter issue, and moved on to other issues, and now figured it out.

Looks like there was a small configuration issue on VMWare.

Needed to make sure the Net.ReversePathFwdCheckPromisc was changed.

The VMWare Hosts all have multiple trunk ports to the switch, so that was causing a layer 2 loop for the CARP advertisement traffic.

After changing that setting and bouncing the promiscuous mode on each vswitch, all is well.

Thank you for the help, and if anyone else is seeing the same, ther is a trail, from missing log filter entries to the actual root cause.

And a reminder for others, sometime we do read the manual and just need a little help from our fellow gurus on the web.

Johnpoz, thank you again for helping out with this.

One point to clarify.  It is not the load balancer log that I really care about, it is the firewall one that I care about.  I was just suggesting that the issue may not be isolated to the fitler.log and firewall entries.

Looking deeper into this, this looks to be a bigger issue.  The log is set to display 250 entries, and even though more entries exist in the log file, they are filtered out of the GUI display because they are not relevant.  It was my understanding it would display the last 250 entires that should be shown.  But instead the log file is filling up with entries that are not shown in the GUI and thus filtering out the relevant ones.

I have a larger issue.  I am seeing the CARP advertise broadcasts from the firewall to the network.

Mar  5 11:50:28 fw filterlog: 48,,,1000000201,em2,match,block,in,4,0x10,,255,0,0,DF,112,carp,56,,,advertise,255,1,2,0,1
Mar  5 11:50:28 fw filterlog: 48,,,1000000201,em1,match,block,in,4,0x10,,255,0,0,DF,112,carp,56,,,advertise,255,4,2,0,1
Mar  5 11:50:28 fw filterlog: 48,,,1000000201,em0,match,block,in,4,0x10,,255,0,0,DF,112,carp,56,,,advertise,255,2,2,0,1

This is a virtualized PFSense on VMWare, and to get CARP to work right, you have to have serveral VMWare settings set to get it to work right, basically to rewrite the MAC addresses of the outbound packets.  It looks like that is causing a layer 2 loop as well and it is receiving it's own packets back on the network.  Well at least the advertisements.   That is filling up the log with blocked packets.

Well at least I have an answer for why the logs are not showing what I am looking for.

I will dig deeper on this specific issue.  Looks like other people have experienced this layer 2 loop as well, so I will start searching in that area.

Thanks again for the help

Thanks for the helpful response.

I would provide more context, and on other issues, I can think of alot more context, but this one I am just not sure what is relevant to post.

This is version 2.4.2_1

The log file is not full.  It is not getting slammed.  The current log file is default yes, at 500kb, but from clog shows entries going back 14 minutes right now.   Displaying 250 entries.
I had the logs set to a higher amount, but reset everything to default when this issue started to make sure something was not messed up.

So the clog show s 15 minutes of data, but the gui show 0 entries.

If I initiate something to get a blocked packets, the entry will show up in the GUI and then disappear exactly 60 seconds after it hits the logs.  For example, if a packet from a foreign source his the filter at 20:02:16, it will disappear from the GUI at 20:03:16 and will still be in the clog until about 20:16:00 or so, depending on the amount of traffic.

I have two other PFSense units on this exactly same version, and either are doing this, so it is unique to this installation.


Come on.  Really.  And can you point to the part of that Manual that fixes this issue?  No, because it is not there.  There is no logging setting that is for the am mount of time an entry is displayed in the interface.  Which is why this is so confusing.

If I know how to use clog to look at the raw filter files, I think I know where the manual is and have checked it and spent several hours reading forum posts trying to avoid people like you pointing me RIGHT back to what I have been already looking at.

If you have something actually helpful, feel free to point the details.  If some how your posting of the log settings which I have been over many times has the answer and I am just missing it, prove me wrong.  But in this case, I do not think you can do that.

Anyone else want to be helpful?

General Questions / Firewall logs entries only display the last minute
« on: March 04, 2018, 02:04:25 pm »
I am struggling to come up with an answer and it must be something obvious.

I have a pair of PFSense with CARP, and after getting everything up and running the logs for the firewall are timing out entries after 60 seconds.  So most the time when I go into the Firewall logs, I have a few lines, or nothing.  Each entry disappears from the Web GUI front end after 60 seconds.  It appears that it is a mixed bag.  System shows items older than 60 seconds, and so does open VPN, but load balancer does not.

I have set all the setting back to default that I know of, but I do not see anything based on time.  clog -f filter.log show entries much older than 60 seconds.

Anyone have any ideas on this one?


Pages: [1]