Hello!
I've built a 'transparent' firewall to allow access to all superLAN resources while preventing unexpected traffic to the subLAN clients. This generally works as expected except when trying to allow superLAN clients to subLAN resources.
Creating a firewall rule allowing opt0 80/TCP traffic successfully allows inbound TCP SYN to the server. However, the server's return SYN-ACK simply disappear inside OPNsense.
As a workaround, to prevent the SYN-ACKs from disappearing, the opt0 80/TCP allow rule can have it's State Type changed to either none or synproxy. Why does the default keep state setting fail?
Moving the rule from the opt0 interface to the floating tab and leaving the default 'keep state' setting also works as expected.
I've hoping that the experts here can help me understand why these setting work or don't work. Thanks!
A few config details:
em0 -> opt0
em1 -> opt1
bridge0 (members opt0, opt1) -> bridge0
Firewall rule opt1 allow all.
net.link.bridge.pfil_local_phys == 1
net.link.bridge.pfil_member == 1
net.link.bridge.pfil_bridge == 0
If you create a bridge you better use only floating rules. Otherwise you have to allow the traffic in both interfaces
Quote from: mimugmail on January 02, 2021, 06:55:07 AM
Otherwise you have to allow the traffic in both interfaces
Indeed, this is why this was bit of a head scratcher for me. I thought I had sufficient rules on
opt1 to always pass traffic (and I did) but those rules seemed to mess with state on associated
opt0 traffic that I don't quite understand.
I changed the opt1 allow all rule State Type to none and returned the opt0 specific allow rules to the default state behavior. All works as expected. Thank's for bantering with me to help find more sane rules.