Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: greenych on May 16, 2024, 04:34:41 PM

Title: TCP resets randomly Opnsense 24.1.4
Post by: greenych on May 16, 2024, 04:34:41 PM
Hi mates, we have a strange behavior with tcp sessions as it randomly resets by Opnsense(if I understand correctly from tcpdump).  I have captured WAN and LAN interfaces simultaneously and have found some interesting thing, host A(behind WAN) sends SYN, host B(behind LAN) receives SYN and answers with SYN/ACK and suddenly gets RST from host A. But in actual host A doesn't send RST(there is no such packet in capture on interface WAN and TTL=64), also SYN/ACK from host B doesn't comes on interface WAN. Problem appears randomly and I can't find any dependancies with time of a day and resource and channel utilization, maybe someone can suppose what can cause such behavior?
Title: Re: TCP resets randomly Opnsense 24.1.4
Post by: sja1440 on May 16, 2024, 07:39:50 PM
Interesting.  I saw something very similar today.

In my case tcp connections were being initiated by Unbound within OPNsense towards port 853 of Quad9 (9.9.9.9) so:
* SYN from OPNsense to port 853 of Quad9
*SYN+ACK from Quad9 to OPNsense
*RST+ACK from OPNsense to Quad9.
To help track down the cause I activated a series of firewall traces including one on the last encounterd rule (pass) on the outgoing WAN interface.  The PF logs showed that the outgoing connection was passed.

At the time I was restructuring my firewall rules making use of firewall groups and tags. I didn't have to time to track down the problem so I backed up the borked OPNsense config and restored a previously working configuration.  I'll have another go when I have some free time.

I find it very odd that the PF logs show the connection as PASSed and yet the RST+ACK was being sent by Unbound/OPNsense. Very odd.

By the way, in my case all connections to Quad9 were impacted not just random.

I use OPNsense v 24.4.

Title: Re: TCP resets randomly Opnsense 24.1.4
Post by: sja1440 on May 17, 2024, 12:53:54 PM
I discovered that I had mistakenly applied the rules of one group to both a vlan and the underlying ethernet interface. This is a Bad Idea and, I believe, might well have been the cause of my problem.

If it turns out that I still have the problem then I'll be back here.
Title: Re: TCP resets randomly Opnsense 24.1.4
Post by: greenych on May 17, 2024, 02:05:30 PM
In my case there are no groups, I try to find reasons why firewall can intercept TCP session and answer with RST and only one I have found is denying rule
Text only | Text with Images