Hello,
actually I am a little lost. As I don't understand why the FW is dropping allowed connections.
For the Setup I need to use double NAT(PAT), as in front of the FW there is another router. But this should not be a big problem, as it worked before as well. Also not all connections are dropped. So basically this is why I'm a little lost.
NAT_1 on Router
Router: 192.168.175.1
Port: 20558
To: 192.168.175.2 (OPNsense FW)
NAT_2 on FW
FW_WAN_Interface: 192.168.175.2
Port: 20558
FW_DMZ_Interface: 172.19.255.1
Server_in_DMZ_Subnet: 172.19.255.50
pfctl -sn | grep 20558
rdr on igb0 inet proto tcp from any to (igb0) port = 20558 -> <172.19.255.50> port 20558 round-robin
FW Rule:
pfctl -sr | grep 20558
pass in quick on igb0 reply-to (igb0 192.168.175.1) inet proto tcp from any to <172.19.255.50> port = 20558 flags S/SA keep state label "xyz"
FW Logs:
filterlog[3546]: 14,,,xyz,igb0,match,block,in,4,0x0,,60,25470,0,DF,6,tcp,588,IP.IP.IP.IP,172.19.255.50,43880,20558,536,PA,xyz:xyz,xyz,xyz,,nop;nop;TS
Any ideas why this could have been blocked?
cheers
fastboot
Bump
anyone plz?
Hi
Quote14,,,xyz,igb0,match,block,in,4,0x0,,60,25470,0,DF,6,tcp,588,IP.IP.IP.IP,172.19.255.50,43880,20558,536,PA,xyz:xyz,xyz,xyz,,nop;nop;TS
PSH, ACK flags is not allowed to create state ("...flags S/SA keep state...")
if all works then its good
(https://forum.opnsense.org/index.php?topic=20219.0)
Hello @Fright,
so its something wrong with the flags in the IP header why the FW drops it.
I will dig into the deep of that. Thanks for the kick in the right direction! :)
Cheers
FB