block rules not logging

Reply to block rules not logging on Mon, 29 Dec 2025 19:07:17 GMT

beatvjiking — Mon, 29 Dec 2025 19:07:17 GMT

@johnpoz the only common package in use is System Patches, and there aren't any non-package-provided patches installed. I'll keep digging.

Reply to block rules not logging on Mon, 29 Dec 2025 18:44:09 GMT

johnpoz — Mon, 29 Dec 2025 18:44:09 GMT

@beatvjiking well it could still be a bug, but only triggered by some not so common thing. Do you use a specific package across the systems?

But yeah its not a bug in the sense that everyone, or big common base of users are hit with it.

Reply to block rules not logging on Mon, 29 Dec 2025 18:25:41 GMT

beatvjiking — Mon, 29 Dec 2025 18:25:41 GMT

@johnpoz I agree, and I'm going to move forward with the rebuild, and will update after. I just am baffled by this - based on my experiences and the breadth of configurations and systems the issue crosses, it seems like a bug; but as you say, if it were a bug one would expect more people would be seeing it.

Reply to block rules not logging on Mon, 29 Dec 2025 17:52:16 GMT

johnpoz — Mon, 29 Dec 2025 17:52:16 GMT

@beatvjiking well something is common between all the units causing the problem. Finding out what that is the question.

If it was some huge bug in 25.11 - why isn't mine showing the problem.. Why are not the 1000's or prob more like 10s of thousands of units out there now running 25.11 not having the issue?

I would think if was some common thing causing the issue - the boards would be a flame with people reporting the issue, etc.,

So I think the best way forward is since your home system rebuild would cause the least disruption is to attempt to find what is the root of the problem with it. And then that hopefully points to the common thing that is causing it in your other systems

Reply to block rules not logging on Mon, 29 Dec 2025 17:33:59 GMT

beatvjiking — Mon, 29 Dec 2025 17:33:59 GMT

@johnpoz @tinfoilmatt I'll set aside some time in the next few days to rebuild the home unit from scratch and compare the backups. The thing that gives me pause is that the configuration on this unit doesn't really match up in any meaningful way to any of the other machines exhibiting the issue.

I found another machine exhibiting it, which only began having the issue on the upgrade to 25.11. That one hasn't had its logs cleared, but it hasn't logged a single blocked packet (despite definitely blocking many) since the upgrade/reboot. It's a completely different piece of hardware (an old C2358 machine with a CF card I use as an IPSec endpoint). Bafflingly, rolling back to the 25.07.1 boot environment does not fix the issue - it's still not logging blocked packets it's configured to log even after booting the old version and config. Comparing the config versions from enabling the firmware upgrade until today reveals absolutely nothing amiss changing in the config (below). I found yet another machine that hasn't logged blocked packets since a 123 seconds after booting into 25.07.1 (which was a clean install on a 7100). It booted, logged blocked packets for about two minutes, then stopped.

--- /tmp/be_mount.6rG2/cf/conf/backup/config-1765562644.xml	2025-12-12 13:04:44.807537000 -0500
+++ /tmp/be_mount.6rG2/cf/conf/config.xml	2025-12-19 09:58:05.558321000 -0500
@@ -1,6 +1,6 @@


-	24.0
+	24.1
	
	
		normal
@@ -870,9 +870,9 @@
	
	
	
-		1765562644
-		
-		
+		1766156285
+		
+		
	
	
	
@@ -901,7 +901,7 @@
		67574832baa75
		
		server
-		different cert info here==
		different cert info here
	
	
@@ -947,7 +947,7 @@
				most secure, easiest to use, and simplest VPN solution in<br />
				the industry.]]>
			https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-WireGuard
-			0.2.9_5
+			0.2.11
			wireguard.xml
			/usr/local/pkg/wireguard/includes/wg.inc
		
@@ -955,7 +955,7 @@
			System Patches
			System_Patches
			
-			2.2.23
+			2.2.26
			systempatches.xml
			/usr/local/pkg/patches.inc
		
@@ -971,7 +971,7 @@
	agility. Whether you're scaling deployments or streamlining network
	management, Netgate Nexus delivers the control and customization you
	need to stay ahead.]]>
-			25.07.1_1
+			25.11
			nexus.xml

Reply to block rules not logging on Sat, 27 Dec 2025 16:21:04 GMT

johnpoz — Sat, 27 Dec 2025 16:21:04 GMT

@beatvjiking said in block rules not logging:

I'd say maybe there was some kind of issue with how it's configured (like trying to parse out the wrong interface's messages or something), rather than a bug causing it to fail.

Possible for sure, something related to weirdness with your interface setups. Recent thread where they were seeing the anti-lock out rule on one of their vlan interfaces vs lan, and they too were having issues with rules.

You clearly have something wrong - but what is crazy is you would have the same sort of something wrong on multiple setups.

Kind of leaning towards @tinfoilmatt suggest, just start clean.. When you have logging working.. Then restore rules on the interfaces. Maybe only backup the firewall rules vs complete restore. But since you would have a clean system, make sure you take a backup of its config.. Before you restore - if the restore breaks the logging you will have files you can compare to what could be causing it.

Reply to block rules not logging on Sat, 27 Dec 2025 16:06:52 GMT

tinfoilmatt — Sat, 27 Dec 2025 16:06:52 GMT

@beatvjiking Fresh install and config restore is your best option. Something is corrupted. Not worth identifying what.

Reply to block rules not logging on Sat, 27 Dec 2025 15:58:24 GMT

beatvjiking — Sat, 27 Dec 2025 15:58:24 GMT

@tinfoilmatt raw logging+reboot = no go, unfortunately. I'm wondering if there's a good way for me to look at the raw output of pflog - it seems pfSense does something to capture and manage that information using the filterlog process.

As an experiment I set up a syslog server on my home network and directed pfSense to send its output there, and it was able to capture everything pfSense is capturing log-wise, but still nothing from the firewall.

root    27982   0.0  0.1  15000  3776  -  Ss   Fri01      0:05.84 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid

The filterlog process seems to be the next place to focus troubleshooting, but some googling makes it seem like it's sort of a black box - a simple one, but not one that people seem to have issues with in terms of troubleshooting. Any ideas on where to start looking? If I had to guess, I'd say maybe there was some kind of issue with how it's configured (like trying to parse out the wrong interface's messages or something), rather than a bug causing it to fail.

Reply to block rules not logging on Thu, 25 Dec 2025 14:39:53 GMT

beatvjiking — Thu, 25 Dec 2025 14:39:53 GMT

@tinfoilmatt the raw logging plus reboot makes logical sense since it'd restart pflog/filterlog in addition to changing the configuration. I'll do so when there are fewer people in my house :)

Reply to block rules not logging on Thu, 25 Dec 2025 02:08:16 GMT

johnpoz — Thu, 25 Dec 2025 02:08:16 GMT

@tinfoilmatt nice catch

[25.11-RELEASE][admin@sg4860.home.arpa]/: ps -A | grep syslogd
94189  -  SCs      0:02.15 /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf
95527  -  I        0:00.01 syslogd: syslogd.casper (syslogd)
96345  -  Is       0:00.00 syslogd: system.net (syslogd)
57942  0  S+       0:00.00 grep syslogd
[25.11-RELEASE][admin@sg4860.home.arpa]/:

Really odd - I have no issues..

Reply to block rules not logging on Wed, 24 Dec 2025 21:59:40 GMT

tinfoilmatt — Wed, 24 Dec 2025 21:59:40 GMT

@beatvjiking I might suggest 'raw logging' plus a reboot for good measure. But I'm running out of weak suggestions.

Reply to block rules not logging on Wed, 24 Dec 2025 21:32:12 GMT

beatvjiking — Wed, 24 Dec 2025 21:32:12 GMT

@tinfoilmatt I had seen that box so many times over the last 24 hours it stopped mentally registering, lol. I checked it, saved, reset the log files. Still nothing, but I am indeed learning!

Reply to block rules not logging on Wed, 24 Dec 2025 21:18:52 GMT

tinfoilmatt — Wed, 24 Dec 2025 21:18:52 GMT

@johnpoz Oh. It's because you included a colon in your grep string.

Reply to block rules not logging on Wed, 24 Dec 2025 21:18:07 GMT

tinfoilmatt — Wed, 24 Dec 2025 21:18:07 GMT

@johnpoz Weird because mine matches (in addition to an HAproxy logging hook). I assumed that was the operative syslogd process. But maybe not.

Obligatory mention that I'm on CE 2.8.1-RELEASE over here.

ps -A | grep syslogd
89854  -  SCs      0:02.20 /usr/sbin/syslogd -O rfc5424 -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf
91058  -  I        0:00.00 syslogd: syslogd.casper (syslogd)
91991  -  Is       0:00.00 syslogd: system.net (syslogd)
56861  1  S+       0:00.00 grep syslogd

Reply to block rules not logging on Wed, 24 Dec 2025 21:14:33 GMT

johnpoz — Wed, 24 Dec 2025 21:14:33 GMT

Not sure what that first line is on your grep output, I do not show that

[25.11-RELEASE][admin@sg4860.home.arpa]/: ps -A | grep syslogd:
95527  -  I        0:00.00 syslogd: syslogd.casper (syslogd)
96345  -  Is       0:00.00 syslogd: system.net (syslogd)
57157  0  S+       0:00.00 grep syslogd:
[25.11-RELEASE][admin@sg4860.home.arpa]/:

Reply to block rules not logging on Wed, 24 Dec 2025 21:10:04 GMT

tinfoilmatt — Wed, 24 Dec 2025 21:10:04 GMT

@beatvjiking There's a checkbox, "Show raw filter logs", on the logs settings page. I was suggesting you try that, and only because you got me thinking about the relationship between system logging and syslogd (something I hadn't previously considered).

We're both learning here! lol

Reply to block rules not logging on Wed, 24 Dec 2025 20:35:55 GMT

beatvjiking — Wed, 24 Dec 2025 20:35:55 GMT

@tinfoilmatt Switched to syslog (the RFC5424 option, I assume), saved, reset the logs, saved, and unfortunately no go.

/var/etc/syslog.d/pfSense.conf contents - it looks like it probably should from what I can tell:

# Automatically generated, do not edit!
!*
auth.*;authpriv.*                                       /var/log/auth.log
!radvd
*.err                                                           /var/log/routing.log
!routed,zebra,ospfd,ospf6d,bgpd,watchfrr,miniupnpd,igmpproxy
*.*                                                                     /var/log/routing.log
!ntp,ntpd,ntpdate
*.*                                                                     /var/log/ntpd.log
!ppp
*.*                                                                     /var/log/ppp.log
!poes
*.*                                                                     /var/log/poes.log
!l2tps
*.*                                                                     /var/log/l2tps.log
!charon,ipsec_starter
*.*                                                                     /var/log/ipsec.log
!openvpn
*.*                                                                     /var/log/openvpn.log
!dpinger
*.*                                                                     /var/log/gateways.log
!dnsmasq,named,filterdns,unbound
*.*                                                                     /var/log/resolver.log
!dhcpd,dhcrelay,dhclient,dhcp6c,dhcpleases,dhcpleases6,kea2fib6,kea2unbound,kea-dhcp4,kea-dhcp6
*.*                                                                     /var/log/dhcpd.log
!hostapd
*.*                                                             /var/log/wireless.log
!filterlog
*.*                                                             /var/log/filter.log
!logportalauth
*.*                                                             /var/log/portalauth.log
!watchdogd
*.*                                                             /var/log/watchdogd.log
!-bgpd,charon,dhclient,dhcp6c,dhcpd,dhcrelay,dnsmasq,dpinger,filterdns,filterlog,hostapd,igmpproxy,ipsec_starter,kea-dhcp4,kea-dhcp6,unbound,kea2fib6,kea2unbound,l2tps,miniupnpd,named,ntp,ntpd,ntpdate,openvpn,ospf6d,ospfd,poes,radvd,routed,watchfrr,zebra
local3.*                                                        /var/log/vpn.log
local5.*                                                        /var/log/nginx.log
*.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      /var/log/system.log
*.emerg                                                         *
!*
:msg, startswith, "if_pppoe: "
*.*                                                             /var/log/ppp.log
:*

Reply to block rules not logging on Wed, 24 Dec 2025 20:17:40 GMT

tinfoilmatt — Wed, 24 Dec 2025 20:17:40 GMT

@beatvjiking Try flipping on raw logs. Reset log files again after doing so (i.e., two separate saves).

/var/etc/syslog.d/pfSense.conf looks intact?

Reply to block rules not logging on Wed, 24 Dec 2025 19:52:07 GMT

beatvjiking — Wed, 24 Dec 2025 19:52:07 GMT

@tinfoilmatt Services shows syslogd running - it's generating logs for itself and other services on the machine. If I had to guess I'd say there has to be something going on with the interaction between filterlog and syslogd, but that's a part of the OS I don't have a lot of familiarity with in FreeBSD. I also don't know how any configuration options in pfSense would mess with that.

ps -A | grep syslogd:

69461  -  SCs      0:00.90 /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf
72847  -  I        0:00.01 syslogd: syslogd.casper (syslogd)
73151  -  Is       0:00.00 syslogd: system.net (syslogd)
68064  1  S+       0:00.00 grep syslogd

Reply to block rules not logging on Wed, 24 Dec 2025 19:36:08 GMT

tinfoilmatt — Wed, 24 Dec 2025 19:36:08 GMT

@beatvjiking Does Status / Services show syslogd running? Output of ps -A | grep syslogd?

Reply to block rules not logging on Wed, 24 Dec 2025 17:10:56 GMT

beatvjiking — Wed, 24 Dec 2025 17:10:56 GMT

@tinfoilmatt no syslog-ng, no sending logs anywhere else. No exotic partitioning, just the default installer ZFS setup. Nothing weird with NAT. Some of the other affected machines are in failover pairs and NAT through their virtual CARP-managed IP, but there's nothing of that sort going on here.

Reply to block rules not logging on Wed, 24 Dec 2025 17:07:18 GMT

SteveITS — Wed, 24 Dec 2025 17:07:18 GMT

it’s extreme but maybe set one to defaults temporarily and check. If it works compare config files. If not then it seems something on the router(s)…reinstall?

Reply to block rules not logging on Wed, 24 Dec 2025 17:04:23 GMT

tinfoilmatt — Wed, 24 Dec 2025 17:04:23 GMT

@beatvjiking I'm perplexed—further confounded only by you seeing this on multiple systems.

No syslog-ng install or otherwsie any log shipping or anything?

Big system disk. No exotic partitioning? Exotic ZFS config?

You already confirmed no RAM disk.

Ruleset looks fine (if not exceedingly straightfoward).

Are you doing anything particular with NAT?

Reply to block rules not logging on Wed, 24 Dec 2025 16:36:48 GMT

beatvjiking — Wed, 24 Dec 2025 16:36:48 GMT

@tinfoilmatt the other machines are running pfSense+ 25.11 but running on a variety of hardware. There are some roll-your-own machines, some 8200s, 7100s, 1537s, etc. The other Netgate hardware isn't altered from factory.

By "removing the state limiter" I meant removing the advanced rule option to limit states per device on the default allow. I normally add it to prevent resource exhaustion at the firewall, but wondered if adding it interfered with logging, so I removed it. It didn't change anything.