Text only | Text with Images

OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: badchipmunk on November 14, 2020, 01:56:07 AM

Title: Blocked traffic on LAN via Default deny rule
Post by: badchipmunk on November 14, 2020, 01:56:07 AM
Hi there. I'm seeing a ton of blocked LAN traffic on my FW, where one thing on my LAN is attempting to talk to another thing on my LAN. I cannot for the life of me understand why this is happening.

__timestamp__   Nov 13 17:54:07
ack   386885594
action    [block]
anchorname   
datalen   0
dir    [in]
dst   192.168.1.52
dstport   55240
ecn   
id   31958
interface   em0
interface_name   lan
ipflags   DF
label   Default deny rule
length   40
offset   0
proto   6
protoname   tcp
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
ridentifier   0
rulenr   8
seq   
src   192.168.1.5
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   128
version   4
Title: Re: Blocked traffic on LAN via Default deny rule
Post by: Gauss23 on November 14, 2020, 08:55:59 AM
What is your netmask (/24 or 255.255.255.0)?

Just a guess: maybe you configured your switch with port mirroring for some reason?
Title: Re: Blocked traffic on LAN via Default deny rule
Post by: siga75 on November 14, 2020, 10:18:07 AM
Quote from: badchipmunk on November 14, 2020, 01:56:07 AM
Hi there. I'm seeing a ton of blocked LAN traffic on my FW, where one thing on my LAN is attempting to talk to another thing on my LAN. I cannot for the life of me understand why this is happening.

__timestamp__   Nov 13 17:54:07
ack   386885594
action    [block]
anchorname   
datalen   0
dir    [in]
dst   192.168.1.52
dstport   55240
ecn   
id   31958
interface   em0
interface_name   lan
ipflags   DF
label   Default deny rule
length   40
offset   0
proto   6
protoname   tcp
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
ridentifier   0
rulenr   8
seq   
src   192.168.1.5
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   128
version   4

it's maybe an ACK package for a connection not active anymore in the firewall
Title: Re: Blocked traffic on LAN via Default deny rule
Post by: chemlud on November 14, 2020, 10:29:06 AM
Once-a-month topic: Out-of-state traffic...
Title: Re: Blocked traffic on LAN via Default deny rule
Post by: badchipmunk on November 14, 2020, 09:42:58 PM
I did have a port mirror set up on a switch which fed to a Security Onion instance,  I disabled that to no avail. In my hunt I also discovered that the MTU I was handing out to my DHCP clients was different than what I had set for my LAN interface, so I set those to be the same, but that didn't seem to do much. Then I went around and just rebooted clients on the network, and that evidently cleared things up. I still see some blocked traffic related to my plex server, but I think that's largely related to the weirdness that needs to be configured to expose that to the interwebs.
Text only | Text with Images