Text only | Text with Images

OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: mikey4u on November 17, 2024, 05:36:26 PM

Title: traffic blocked Default deny / state violation rule...SOLVED
Post by: mikey4u on November 17, 2024, 05:36:26 PM
Can't figure out how to solve my problem. OPNsense blocking traffic from my iot devices to mqtt broker. rules dont change thing. I am at a loss??
Title: Re: traffic blocked Default deny / state violation rule
Post by: viragomann on November 17, 2024, 06:02:48 PM
The SYN-ACK flag indicates, that the SYN flag didn't pass your OPNsense.
This probably might be an asymmetric routing issue.

This can happen, if one of the involved devices is multi-homed.

Maybe you can provide some details about your network to clarify the issue.
Title: Re: traffic blocked Default deny / state violation rule
Post by: mikey4u on November 17, 2024, 06:11:11 PM
Thank you so much for the reply,
i am really new to opnsence. The problem is new as everything was working fine before.
I have Home Assistant mqtt mosquito. connecting to multiple iot devices on same lan.
stopped working after a update. not sure how to proceed.
please let me know what specifically I can provide. googling your response now.
Title: Re: traffic blocked Default deny / state violation rule
Post by: viragomann on November 17, 2024, 06:42:03 PM
So is one of the devices in multiple network segments?

If not, this could also happen due to a wrong network mask on the HA.
Title: Re: traffic blocked Default deny / state violation rule
Post by: meyergru on November 17, 2024, 06:46:00 PM
It is even more simple than that: Look at the src and dst IPs in your log entry:

192.168.0.149 and 192.168.0.23   THOSE ARE (PRESUMABLY) IN THE SAME SUBNET

Please refer to this posting (https://forum.opnsense.org/index.php?topic=42985.0), first point.
Title: Re: traffic blocked Default deny / state violation rule
Post by: mikey4u on November 17, 2024, 06:55:57 PM
here are some of my setting. not sure it helps.going to reread the referred post.
so confused right now and yes same subnet
Title: Re: traffic blocked Default deny / state violation rule
Post by: meyergru on November 17, 2024, 07:06:37 PM
Networking is hard. Try to understand the difference between a bridge and a router. What you seem to try is a kind of middle ground (which does not exist - unless you do a transparent bridge setup):

You presumably have two ports, one of which connects your IoT device(s) and the other your PC(s).

If you aim for a bridged setup, you can use more than one port like a switch (but you have to follow the documentation to set this up (https://docs.opnsense.org/manual/how-tos/lan_bridge.html)). In this case, you cannot filter the traffic between those ports, as all serve the same subnet.

If you aim to filter traffic via routing/firewalling, you need to separate subnets and use (logical or physical) ports for that. But, they need to have different subnets, which seems no to be the case here.
Title: Re: traffic blocked Default deny / state violation rule
Post by: viragomann on November 17, 2024, 07:11:07 PM
Network mask 255.255.255.255 on the HA lead the device to send any packet to the default gateway, while other devices with a correct mask access it directly.
I guess, its mask should rather be 255.255.255.0.
Title: Re: traffic blocked Default deny / state violation rule
Post by: mikey4u on November 17, 2024, 07:20:56 PM
SOLVED

THANK YOU SOOO MUCH.
You solved my problem. correct my network mask was wrong.
changing it to 255.255.255.0. fixed my problem. Understanding all this is a huge learning curve.
I cant thank you enough. Thank you for taking the time to help me. working on this for 10 hours.
Again thank you you made my day. Have a great day
Text only | Text with Images