Text only | Text with Images

OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: eknowlton on August 26, 2022, 03:59:26 PM

Title: [SOLVED] Default Deny / State Volation
Post by: eknowlton on August 26, 2022, 03:59:26 PM
Having a really hard time figuring this out.

I have a setup...

Code Select
OPNSense -> TP Link Manged Switch -> Proxmox VE Server -> Ubuntu VM ( w/ nginx on port 80 )


Proxmox VE : 192.168.1.89
My Laptop: 192.168.1.104
Ubuntu VM: 192.168.1.50

Every time I try to hit the server ( Ubuntu VM ), from the same network ( LAN ) the OPNSense firewall seems to block it. It poses two questions to me...

- Why doesn't the switch handle the request and bypass OPNSense box?
- Why does OPNSense block this? Even though I have a rule to allow it. And set to bypass rules on same interface.

Any help would be greatly appreciated. Will post more settings if needed.


Title: Re: Default Deny / State Volation
Post by: Patrick M. Hausen on August 26, 2022, 04:17:18 PM
What are the netmasks for these IP addresses on your Laptop and the Ubuntu server?
Title: Re: Default Deny / State Volation
Post by: eknowlton on August 26, 2022, 04:56:14 PM
My laptop is 192.168.1.104/24

The ubuntu server is 192.168.1.50/32 <-- I just changed this to /24 and it works.

Hmm.. I don't know enough about this but this is why i'm building it.
Would love resources to learn about this issue I just had.

Thanks
Title: Re: Default Deny / State Volation
Post by: Patrick M. Hausen on August 26, 2022, 05:10:49 PM
OK, so what does the netmask do ...?

The laptop is 192.168.1.104 and the server is 192.168.1.50. The laptop wants to initiate a connection to the server.

The most important thing in IP in simple LANs like this is that it is the sending station that is responsible to decide if
* the destination address is local or
* the destination address can only be reached via some router

In most simple LANs there is only one router - the default gateway.

So how does your laptop decide where the destination is located? It does a bitwise AND operation of its own source address and the netmask, and a bitwise AND operation of the destination address and its own netmask.

192.168.1.104 AND 255.255.255.0 (24 consecutive "1" bits followed by 8 "0" bits) = 192.168.1.0
192.168.1.50 AND 255.255.255.0 = 192.168.1.0

Both results are identical, so the destination must be local. The laptop uses a protocol named ARP to find the "hardware address" of the server, but let's just leave it here. The key point is there is no router involved.

Now the server wants to send an answer back - it goes through the same decision process using its own netmask!

192.168.1.50 AND 255.255.255.255 (32 consecutive "1" bits) = 192.168.1.50
192.168.1.104 AND 255.255.255.255 = 192.168.1.104

Oops! They don't match. I need to send the packet to my router, i.e. OPNsense.

OPNsense sees a reply packet for which it has not seen the initial one in the other direction and decides "State violation! Bad server!"

That's why it's so important that the netmasks of all devices in one LAN match.

HTH,
Patrick
Text only | Text with Images