OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • random denies by Default deny rule after upgrading
« previous next »
  • Print
Pages: [1]

Author Topic: random denies by Default deny rule after upgrading  (Read 2156 times)

telskamp

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
random denies by Default deny rule after upgrading
« on: May 01, 2018, 11:39:49 am »
Hey guys,

Since i have updated my opnsense to the latest stable 18.1.6 and it seems about 1/3 of all traffic headed for the internet is blocked by the default deny rule.

I have just one simple rule on my lan interface allowing everything form my lan subnet to any destination using any protocol.
2/3 of traffic hits this rule and is natted  perfectly to the internet the other 1/3 just hist the default deny rule.

I cannot seem to figure out the difference in traffic that causes it. hosts on my lan are able to load most webpages and ping most ips but for to me unknown reasons  some destinations are blocked by the default rule.

some logs from blocked traffic
May 1 12:21:28   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,24069,0,DF,6,tcp,52,192.168.2.62,216.58.212.238,46327,443,0,FA,235370830,407495185,796,,nop;nop;TS
May 1 12:21:28   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30129,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30128,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30127,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30126,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:22   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,743,0,DF,6,tcp,83,192.168.1.201,172.217.17.138,55932,443,31,PA,3166355573:3166355604,738522861,1428,,nop;nop;TS

Please let me know if you need further info

[EDIT]

After further investigation it seems only 1/3 of TCP traffic is blocked, udp and icmp is never blocked

« Last Edit: May 01, 2018, 12:29:26 pm by telskamp »
Logged

guest15389

  • Guest
Re: random denies by Default deny rule after upgrading
« Reply #1 on: May 03, 2018, 04:37:57 pm »
I'm assuming you didn't change it, but what's your firewall optimization setup as?

If it's TCP, it sounds like it's blocking connections based on that.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10669
  • Karma: 849
    • View Profile
Re: random denies by Default deny rule after upgrading
« Reply #2 on: May 03, 2018, 09:13:47 pm »
Default deny means your traffic is leaking and state tracking will prevent connectivity, either through asymmetric routing (one side has no traffic) or repeated packets on the same link.

You can diagnose this by setting your default LAN allow rule to "sloppy" or "none" in state tracking under advanced options.


Cheers,
Franco
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • random denies by Default deny rule after upgrading
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2