Today my opnsense started to act strangely. I have three local interfaces in my system (LAN,TLAN,IOT), with their fw rules and two groups, one that includes all the networks (ALL_LOCAL) and other that only includes user networks (INT).
I have observed the following:
- The rules in my system are not executing in the correct order. And depending on the alias names or group names, they stop working altogether.
- The fw log mixes information of two rules in one line. This is the more apparent and easy to see.
- The fw is blocking (is not processing all the rules until the default block) now and then for internet requests, that are valid.
In the capture you can see that the "allow" hits, that come from my "Allow multicast" rules, show in the description the text for the default WAN block rule. ??
Then in the second capture, by the time I wrote the message, descriptions have changed, but still from other rule. This time a NAT forward one.
Then sometimes, blocks some traffic to internet to some devices, It's normal HTTP/HTTPS traffic. I'll add a screenshot as it happens.
I've rebooted and still does this. What I can do? It is a totally mess.
In this screenshot, the fw blocking by it's own internet requests of my phone. Before and after multicast rule hits with their correct descriptions.
I should explain what I meant with the point #1 above. If I go to alias, and change the name for an alias, something totally unrelated, even rules in other network stops working. I saw that when I changed the name for a port alias, the igmp rules in IOT network stopped working completely and started to show the blocks in the log. After finding the offending alias (some other where changed but didn't affect) and restoring it's wrong name, the unrelated rules started to work again.
Does that make sense?
Also, for some rules, I deactivated logging, but they still appear in the logs.
In the attached screenshot, you can observe that there are blocks for icmp for what I have defined a rule in a group that includes this network:
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 ICMP INT net * INT net * * * [INT] Allow ICMP
Now I've deleted the multicast rules, and I can see in the logs that still it's allowing that traffic with a description that says "allow SMS shares on NAS" that it's the following rule after the deleted ones. I suspected configuration corruption, but I've exported and re-imported and makes the same.
That's scary.