25.7 AND 25.1 nothing shown in firewall log (live view , Overview, and Plain View)?

Started by Wolfspyre, March 09, 2025, 03:16:30 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
April 24, 2025, 12:01:02 AM #15
Apparently I'm restricted to 4 imgs/post. so I'll make a few.

I happened to be in the middle of setting up a new vlan when I noticed this problem, so I had a blank canvas.. here's:
- the interface config
- the egress link config
- the rule explicitly permitting and logging icmp (198.18.14.0/24) -> (8.8.8.8/32)
- the egress nat rule.
April 24, 2025, 12:05:10 AM #16
following
- view of the interface, showing the icmp rule ordered first.
- view of the interface rules with all autogenerated/group rules expanded
- the canary host (smurf) pinging and the tcpdump on the firewall's vlan interface receiving the traffic
April 24, 2025, 12:12:51 AM #17
furthering:
- the reporting pane of the webui showing that traffic is indeed transiting the vlan/lagg and (at least some of) the opnsense componentry exposing that
- the live view filtered by 'dst 8.8.8.8' showing nothing
- the live view filtered by interface showing nothing
- the live view filtered by src with the ip of the canary/smurf host ... showing nothing

(with no filter whatsoever there's still nothing at all visible, but being explicit in the imagery for shiggles)
April 24, 2025, 12:17:14 AM #18
lastly
the overview pane, showing 'No Data Available' for anything of significance

Something's borked.... but nothing (obvious) is logged to point me in the direction of the borkedness ;)
(yes, that's a technical term :P )

I appreciate your input, and your request strategy...

 (I **DID** do all this (altho admittedly not as pedantically) before starting this thread, but a second lobescratcher is appreciated ;) )
April 24, 2025, 04:02:28 AM #19
Dunno if it is just me...but I see all screenshots blurred.

What happens if you leave everything in place and only revert the opn package ? I would reboot after to make sure there's a clean slate before retesting.

Code Select
opnsense-revert -r 25.1.3 opnsense
April 24, 2025, 08:36:53 AM #20
They are a bit hard to read. The setup seems unconventional to me.
Of note:
* Non RFC1918 range on the VLAN side. VLAN over LAGG. Large MTU (9198).
* ICMP FW rule looks fine
* Outbound NAT rule on WAN with target which is not WAN_IP (this said, the rule applied to another source, but I suspect there's a similar rule for the correct VLAN)
* Tcpdump shows ICMP echo and reply interlaced with other messages (STP, VRRPv2)

The rest is beyond me.
April 24, 2025, 09:29:34 AM #21

yeah, I made the images small as I didn't figure they needed to be huge to be legible, but praps I went a lil too optimize-crazy ;)

(the forum wouldn't let me post an image larger than 250k)

yes, I run non-rfc1918 unroutable addresses, but it **REALLY** shouldn't matter.

yes, lagg -> vlan bridges ... multiple isolated segments....  not **TYPICAL** sure, but not really an antipattern... just occasionally finicky

yes, I have a /28. each fw gets a /32 for themselves;
(.17 / .18) .19 is the catchall nat, many other services behind the fw pair are natted to distinct addresses....
that's not **that** abnormal ;)

the tcpdump showing traffic on the fw interface wasn't locked down to proto / src ... it was just picking up all the traffic on that vlan ... which ... sure... there's some noise...

but all of that is unlikely to cause NOTHING to be shown in any of the inspection panes ... :)




April 24, 2025, 09:30:28 AM #22
Quote from: newsense on April 24, 2025, 04:02:28 AMDunno if it is just me...but I see all screenshots blurred.

What happens if you leave everything in place and only revert the opn package ? I would reboot after to make sure there's a clean slate before retesting.

Code Select
opnsense-revert -r 25.1.3 opnsense

Good question. will try on the secondary node here in a bit....
April 25, 2025, 01:59:33 AM #23
allright... went back to 25.1.2.... and removed all sysctls / loader changes.... and I have logs again.

will walk back to current, then start reintroducing sysctls
April 25, 2025, 02:11:06 AM #24 Last Edit: April 25, 2025, 07:45:17 AM by Wolfspyre Reason: update with more information
Okay...
so...
it's **SOMETHING** to do with my sysctls, but I've not quite narrowed down wot yet. more digging to come. but.....

as a note to others ...

if ya run into something wobbly like this... try backing up your config and resetting all yer sysctls custom tunables .... if it solves yer problem, start adding them back and rebooting til you find the cause of the borkedness :)


Print
Go Up Pages 1 2
User actions