Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: canus on February 17, 2023, 04:17:35 PM

Title: Strange blocking of internal traffic
Post by: canus on February 17, 2023, 04:17:35 PM
Hi All,


My OPNsense instance has bizarre behavior. The same connection from a client in the plan to the server network will be allowed and blocked. I can access the services, but it will have a lot of problems, and I see lot of tcp retransmission.

Software:
Versions   OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

Hardware:
nic: Ethernet Controller E810-XXV for SFP'
driver: intel ice

Networking:
LAGG Protocol LACP and VLAN on LAGG.

The network 172.23.23.0/24 has full permissions to 172.23.0.0/24.

Firewall: Log Files: Live View:

Code Select

lan 2023-02-17T16:10:51 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
lan 2023-02-17T16:10:49 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
lan 2023-02-17T16:10:48 172.23.23.23:56317 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:48 172.23.23.23:56316 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:48 172.23.23.23:56315 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:48 172.23.23.23:56314 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:48 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
lan 2023-02-17T16:10:48 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
lan 2023-02-17T16:10:48 172.23.23.23:56313 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:47 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
Title: Re: Strange blocking of internal traffic
Post by: axsdenied on February 17, 2023, 08:42:38 PM
Sure it's not a port blocking issue? Shows the only blocks for the origin address with port 56295.
Title: Re: Strange blocking of internal traffic
Post by: canus on February 17, 2023, 09:30:32 PM
Quote from: axsdenied on February 17, 2023, 08:42:38 PM
Sure it's not a port blocking issue? Shows the only blocks for the origin address with port 56295.


Yes, I am pretty sure I did not block that port. It comes all from the ruleset "Default deny / state violation rule" which is autogenerated and will execute last.

It's also only a short sample of the logging. You will see all the allow and blocking actions like this.
Title: Re: Strange blocking of internal traffic
Post by: zan on February 18, 2023, 08:05:37 AM
Probably out of state packets.
What are the TCP flags of denied packets? If they are FA,RA,FPA,PA and the likes they are just finishing packets that got dropped because out of state.
Text only | Text with Images