Hi,
I have strange problem
My network setup:
OPNsense router with virtual LAN Bridge -> Mikrotik WiFi point - > Device1 and Device 2 connected over WiFi
Local subnets are different on both routers
Problem:
When I open a youtube on Device1 all working fine. When I open youtube on Device2 i've got long loading and many blocking events on opnsense with label Default "deny / state violation rule"
LAN_BRIDGE 2023-08-06T13:17:56 10.0.0.4:41400 52.28.78.142:443 tcp Default deny / state violation rule
10.0.0.4 is local ip address of Mikrotik WiFi point
All rules are default, no any separate rules for Device1 and Device2
How it can be possible?
How do you have your bridge configured? Did you set the tuneables for it?
I'm not familiar with Mikrotik APs but how do you have it configured? Is it performing any services or routing?
QuoteHow do you have your bridge configured? Did you set the tuneables for it?
Configured like in that manual https://docs.opnsense.org/manual/how-tos/lan_bridge.html (https://docs.opnsense.org/manual/how-tos/lan_bridge.html)
net.link.bridge.pfil_member set to 0
net.link.bridge.pfil_bridge set to 1
I have another clients in that bridge and doesn't have any blocking events
Problem only with traffic from one client on mikrotik
Mikrotik have default configuration too. DHCP on WAN, LAN BRIDGE and that's all
Two clients connected over WiFi 5ghz to mikrotik. My iPhone and TV
On iPhone youtube open fast, no blocking events in opnsense (i'm sure that traffic goes through WiFi)
On TV youtube open slowly, many blocking events in opnsense (i have two default pass rules on lan bridge, but it work partially for TV traffic )
I can't realize what's difference bettween packets from TV and iPhone because for opnsense router exists only mikrotik
Made a pic
Are the two allow rules the only ones on LAN_BRIDGE? Do you have any floating tules?
What happens if you enable logging for the allow rules? Also, are you currently seeing any other entries on LAN_BRIDGE other than the blocks?
It looks like you're double NAT with the Mikrotik. Is there a reason it's configured like that instead of just as an AP?
Have you tried getting a packet capture of the two scenarios? One with the iphone working and one with the tv having trouble.
QuoteHave you tried getting a packet capture of the two scenarios? One with the iphone working and one with the tv having trouble.
It's helped! Thank you.
All blocked packets have the same pattern: tcp flags PA (PUSH, ACK). It's "out of state" packets
Normally first packet must be SYN to open new state.
TV after turn off just pause/hibernate sockets. So when I turn on TV after some time sockets wake up as usual. But opnsense was erased old states. It's see new PUSH,ACK packets and block them as out of state.
The same topic here: https://forum.opnsense.org/index.php?topic=20219.0 (https://forum.opnsense.org/index.php?topic=20219.0)