Hi all :)
I'm confused what is going on here and I'm sorry if I'm missing something obvious. If you look at the screenshots attached you'll see there's a default allow rule that allows all IPv4 traffic (rule 11) but I still get blocked by a default block rule (rule 12). Is it because of some TCP flag or something? Because HTTPS works fine while Netflix speedtest at port 443 gets blocked ???
You've masked so much it's hard to make out what your rules are. What interface are the rules configured on?
TCP flag is Fin/Push/Ack so you got a block on a connection termination which may be a retransmission as the state appears to be either mismatching or already gone (you can't start a TCP session with a Fin after all).
How theoretical is this example? Did you have any issue with a particular service?
Cheers,
Franco
Quote from: Greelan on December 15, 2021, 05:59:30 AM
You've masked so much it's hard to make out what your rules are. What interface are the rules configured on?
The masked out rules are simply "block from this LAN to another LAN" - one rule per LAN/VLAN. I will attached new screenshots with changed names for privacy :)
Quote from: franco on December 15, 2021, 09:10:40 AM
How theoretical is this example? Did you have any issue with a particular service?
Yes, for example Netflix's speedtest doesn't run unless I try multiple times and websites doesn't always load (browser just hangs). It isn't just a single block but a log full of them (see new screenshots - filtered on just one device (android phone)). I also have trouble watching old movies that would stream fine from Plex before I switched to OPNsense (using the same hardware) - it buffers constantly (
edit: but that is likely unrelated to this as it is on another LAN/interface).
You still haven't said what interface these rules are on
Quote from: Greelan on December 15, 2021, 10:20:27 PM
You still haven't said what interface these rules are on
They are on the interface shown blocking in the log. VLAN123 - 192.168.123.x
I have deleted every single rule on all interfaces and created Default Allow rules on all of them. No difference.
I would recommend a packet capture on VLAN123. When looking at the PCAP in Wireshark it will probably show retransmissions / out of sequence packets in the flow you're looking for.
The issue is just that: something in your network creates a situation where packets hit the firewall in a wrong order or are being duplicated.
To be frank you can very likely solve this by adding a STATELESS pass rule for your VLAN123 traffic so that the state tracking will not kick you into the default deny rule when the states are messed up, but in general that only means the problem described earlier is very much true.
And don't take this lightly, because the situation can decrease your overall network performance, battery lifetime of attached devices or cause switches to malfunction amongst others.
Cheers,
Franco