I know, not 25.1 solely, but not really sure of the best place to raise this question.
Since upgrading to 25.7, the live view firewall logs no longer show anything on my systems.
I witnessed the problem on my standby firewall, but the HA sync page's advise of (paraphrased)
'the standby and primary are running different versions, upgrade to avoid weirdness'
lead me to think that this was likely a symptom of having the pair split across versions.
however, that's not the case.
Things WORKING:
- all of the panes within `diagnostics` show data
- `/ui/firewall/alias_util/` shows aliases and counters as expected.
- `/ui/diagnostics/firewall/statistics#rules` shows all the rules alongside evaluations and counters
- `/ui/diagnostics/firewall/pf_top` shows sessions as expected
- `/ui/diagnostics/firewall/states` shows states as expected
- `/ui/diagnostics/firewall/statistics#info` shows all the expected counters as usual
- `ui/diagnostics/log/core/firewall` shows some stuff (mostly the update of fail2ban from maltrail)
- The statistics on matches in an interface's rulesets still work.
- PF is still doing its' thing.
- the lobby dashboard
the firewall pair is still working correctly afaict...
however....
under firewall/logfiles
( live view | overview | Plain view )
none of these show content.
All the panes in `/ui/fiagnostics/firewall/stats` show 'No Data Available'
The live view shows nothing.
Anyone have similar experiences?
Suggestions?
any diagnostic steps that would be useful or informative?
- I have validated that 'enable local logging' is checking in 'system/settings/logging'.
- I have disabled local logging and re-enabled it.
- I have reset the logfiles.
under `system:settings:logging` on the statistics pane, it seems like syslog's healthy.... I'm a bit confused.
img of log statistics pane under logging.
25.1 is where you need to be. Go back to System - Firmware and switch from Development to Community, then check for updates.
Infamous "works for me" on latest opnsense-devel. Clearing browser cache would be my first suggestion.
Cheers,
Franco
I tried multiple browsers in anonymous mode before even considering posting here..
Any suggestions on what I might do/try to do to identify where the problem might be?
Easy ICMP rule with logging with source of client. Start ping from client and watch live log?
Cheers,
Franco
Nada.
Nothing shows in the UI.
Where should I look systemically to step back?
IE: What does the 'live view' webui use as its' source?
how can I tap there to see if log events are present there?
I have the same problem. Since updating to 25.1.3 no filterlog is being generated. Other logs are but not filterlog.
well.... at least it's not **JUST** me :)
If you haven't already try a reboot of your router, I rebooted the router and now have the filterlog being generated to disk.
I recently installed 25.1.3 from the iso.
During bootup, I'm seeing blocks logged with descriptions that are associated with system and user-defined PASS rules.
e.g. 'let out anything from firewall host itself (force gw)' and a user rule (associated with a port forward) that passes udp/53 to the firewall 127.0.0.1. I have default block logging turned off.
Is this to be expected during start-up? These anomalous log entries do stop immediately the opnsense host is fully up and running. But I wondered how the description from a pass rule get associated with a block in the log.
Okay,
at this point, I'm really pretty stumped.
- I have rolled my standby firewall back to 25.1.5_5
- I have replaced all -devel packages with their "stable" counterparts
I am still unable to see any firewalling events in live view.
now, if my config broke something, that's .... okay, whatever... that's on me.
Nevertheless, The problem encountered **STILL** aught be logged, but I'm not seeing anything obvious.
Neither the dashboard's live view of firewall actions, nor the live view display anything.
This **IS** somewhat troublesome, as I've been attempting to sort out some bad traffic, and the lack of ability to inspect this in the webui is, mildly problematic.
Could really use some pointers as to what to inspect or what might be contributing to the problem...
I'm sure it's my fault.... but I'm stumped as to how. ;)
I'd really appreciate some insight, as I'm kinda at a loss as to how to solve my own problem here.
what feeds the log plumbing here?
How can I walk back the cat, as it were?
What information would be helpful in further teasing apart the problem I've made for myself here? :)
Create a rule allowing ICMP to 9.9.9.9 and make it the first in the list. Have a machine in that (v)lan do a continous ping in 9.9.9.9.
Go to Live View and filter by address contains 9.9.9.9
Post a screenshot with the rule and with the live view.
Hello, Here is a similar situation: on live view I can see only a very limited amount of line.
If I ping 9.9.9.9 I see replies on the Windows computer terminal, but there is nothing on the liveview or plain view.
This happens both with a specific rule in place or not.
I don't know if it's just my error but, shouldn't the liveview show everything even if the single rules are not flagged to be logged? (blue circle with a "i" inside)
Apparently I'm restricted to 4 imgs/post. so I'll make a few.
I happened to be in the middle of setting up a new vlan when I noticed this problem, so I had a blank canvas.. here's:
- the interface config
- the egress link config
- the rule explicitly permitting and logging icmp (198.18.14.0/24) -> (8.8.8.8/32)
- the egress nat rule.
following
- view of the interface, showing the icmp rule ordered first.
- view of the interface rules with all autogenerated/group rules expanded
- the canary host (smurf) pinging and the tcpdump on the firewall's vlan interface receiving the traffic
furthering:
- the reporting pane of the webui showing that traffic is indeed transiting the vlan/lagg and (at least some of) the opnsense componentry exposing that
- the live view filtered by 'dst 8.8.8.8' showing nothing
- the live view filtered by interface showing nothing
- the live view filtered by src with the ip of the canary/smurf host ... showing nothing
(with no filter whatsoever there's still nothing at all visible, but being explicit in the imagery for shiggles)
lastly
the overview pane, showing 'No Data Available' for anything of significance
Something's borked.... but nothing (obvious) is logged to point me in the direction of the borkedness ;)
(yes, that's a technical term :P )
I appreciate your input, and your request strategy...
(I **DID** do all this (altho admittedly not as pedantically) before starting this thread, but a second lobescratcher is appreciated ;) )
Dunno if it is just me...but I see all screenshots blurred.
What happens if you leave everything in place and only revert the opn package ? I would reboot after to make sure there's a clean slate before retesting.
opnsense-revert -r 25.1.3 opnsense
They are a bit hard to read. The setup seems unconventional to me.
Of note:
* Non RFC1918 range on the VLAN side. VLAN over LAGG. Large MTU (9198).
* ICMP FW rule looks fine
* Outbound NAT rule on WAN with target which is not WAN_IP (this said, the rule applied to another source, but I suspect there's a similar rule for the correct VLAN)
* Tcpdump shows ICMP echo and reply interlaced with other messages (STP, VRRPv2)
The rest is beyond me.
yeah, I made the images small as I didn't figure they needed to be huge to be legible, but praps I went a lil too optimize-crazy ;)
(the forum wouldn't let me post an image larger than 250k)
yes, I run non-rfc1918 unroutable addresses, but it **REALLY** shouldn't matter.
yes, lagg -> vlan bridges ... multiple isolated segments.... not **TYPICAL** sure, but not really an antipattern... just occasionally finicky
yes, I have a /28. each fw gets a /32 for themselves;
(.17 / .18) .19 is the catchall nat, many other services behind the fw pair are natted to distinct addresses....
that's not **that** abnormal ;)
the tcpdump showing traffic on the fw interface wasn't locked down to proto / src ... it was just picking up all the traffic on that vlan ... which ... sure... there's some noise...
but all of that is unlikely to cause NOTHING to be shown in any of the inspection panes ... :)
Quote from: newsense on April 24, 2025, 04:02:28 AMDunno if it is just me...but I see all screenshots blurred.
What happens if you leave everything in place and only revert the opn package ? I would reboot after to make sure there's a clean slate before retesting.
opnsense-revert -r 25.1.3 opnsense
Good question. will try on the secondary node here in a bit....
allright... went back to 25.1.2.... and removed all sysctls / loader changes.... and I have logs again.
will walk back to current, then start reintroducing sysctls
Okay...
so...
it's **SOMETHING** to do with my sysctls, but I've not quite narrowed down wot yet. more digging to come. but.....
as a note to others ...
if ya run into something wobbly like this... try backing up your config and resetting all yer sysctls custom tunables .... if it solves yer problem, start adding them back and rebooting til you find the cause of the borkedness :)