After upgrading to 24.1.10_2, OPNSense started rejecting all inbound traffic. Every incoming connection is blocked by Default deny / State violation rule. The version is 24.1.10_2-amd64. ISP is Comcast Business USA.
I reverted to 24.1 with a fresh install (from a fresh download), loaded the same config from a backup, and everything worked again with the same config. Because I am apparently a glutton for punishment, I upgraded the new installation to 24.1.10_2 to see if it would break. Result: it broke. All inbound connections were again blocked with Default deny / State violation rule. So I rebuilt again with 24.1, reloaded the same config (again), and that works (again).
Not sure where to look to figure out what's going on. Right now I'm running 24.1 because the update process would take me right to 24.1.10_2 again.
Well, I figured it out, but it leads to a different mystery.
I have one server open on a different IP, and I found that connections to that server were getting through. I didn't realize it before, because everything important to the primary server was being blocked. So I went poking around and discovered that the one-to-one NAT rule between that server and its external static IP was missing. I manually restored the rule, and hey presto, all is working.
But this opens two more questions:
- What happened to the rule? It was there in my backups from February but not in the configs I reloaded when testing. I am 100% sure I did not delete it.
- Why did it work at all without the rule before 24.1.10?
Glad to have it fixed but still scratching my head.
There were bugs in the One-to-one rewrite in 24.1.9 preventing the rules from being properly translated. 1) was one of them and they were subsequently hotfixed. 2) is an imprecise question but my guess is you were on 24.1.8 upgraded to a bad early 24.1.9 and didn't change the system (like reboot) so it keep working until 24.1.10 came along and you did a reboot for unrelated reasons which is when the bad one-to-one kicked in.
Cheers,
Franco
Quote from: franco on July 17, 2024, 07:40:45 AM
There were bugs in the One-to-one rewrite in 24.1.9 preventing the rules from being properly translated. 1) was one of them and they were subsequently hotfixed. 2) is an imprecise question but my guess is you were on 24.1.8 upgraded to a bad early 24.1.9 and didn't change the system (like reboot) so it keep working until 24.1.10 came along and you did a reboot for unrelated reasons which is when the bad one-to-one kicked in.
Thanks for the reply! Yes, I believe your guess about point 2 is exactly what happened.