Hello everyone,
I need some help. I have been trying to solve this problem for 1 week but I can't find a solution.
I have an OPNSense installation on a Proxmox VM of a mini PC.
I also have a raspy with proxmox. Here I have an LXC with NetAlertx so I can detect all the IPs used on my network and that is where I have the problem.
When I run nmap it detects all the IPs used but all those that are not found (do not exist) appear as default deny in the firewall. As Falcon vlan rules I have an any to any to all networks.
A lot of thansk!
As the log says, it might be a state violation, since you have allow any already.
Click on the info button at the right to verify the TCP flag. Presumably it's not a SYN, so it's possibly asymmetric routing.
Probably reason for this is an L2 leak in VLAN to another subnet.
Quote from: viragomann on January 28, 2025, 09:20:19 PMAs the log says, it might be a state violation, since you have allow any already.
Click on the info button at the right to verify the TCP flag. Presumably it's not a SYN, so it's possibly asymmetric routing.
Probably reason for this is an L2 leak in VLAN to another subnet.
I checked what you said and the TCP Flag = none.
Your screenshot above shows solely TCP packets. Any TCP packet must have a certain flag (tcpflags)!
That's the way, TCP works.
https://en.wikipedia.org/wiki/Transmission_Control_Protocol (https://en.wikipedia.org/wiki/Transmission_Control_Protocol)
Quote from: viragomann on January 29, 2025, 10:32:34 AMYour screenshot above shows solely TCP packets. Any TCP packet must have a certain flag (tcpflags)!
That's the way, TCP works.
https://en.wikipedia.org/wiki/Transmission_Control_Protocol (https://en.wikipedia.org/wiki/Transmission_Control_Protocol)
Thanks for commenting.
I have added a screenshot of the detailed firewall information.
There is no flag in the TCP protocol. What can this be due to?
From that IP the following command is being executed: nmap -SN 10.0.10.0/24.
Thanks!
The TCP flap for this packet you show is A = ACK
Regards,
S.
Also the later pic you posted has different source IP than then one in your 1st post.
Are you sure you posted the correct packet?
Regards,
S.
Quote from: Seimus on January 29, 2025, 03:32:37 PMAlso the later pic you posted has different source IP than then one in your 1st post.
Are you sure you posted the correct packet?
Regards,
S.
Yes, it is another IP because it is inside the proxmox and I took another LXC. But it's really the same problem.
It is curious that when nmap is performed it only fails with IPs that do not exist.
Can you think of a solution?
If this is TCP out of sync, there is no solution.
OPNsense is a state-full FW, each TCP session needs to start with a TCP Sync, If there is no session created for the specific Source & Destination any packet that does not have a TCP Sync flag will be dropped.
Regards,
S.
There is no way to set the flag when running nmap? Maybe it is proxmox LXC configuration?
It is strange because this same thing I launch it from the other proxmox cluster where the OPNSense is and it works correctly.
You can set nmap with various TCP flags, have a look the nmap manual. However keep in mind that hitting any FW with rapid TCP Sync is basically a TCP Syn flood attack.
Regards,
S.
It's not clear to me, why a device is sending an ACK to an IP, which doesn't exist in the network. This IP should have never respond with SYN-ACK.
I will update OPNSense and try again to see if it is fixed in this version.
I can't believe it's giving TCP failures if when doing NMAP the IP doesn't exist.
Regards!