OPNsense Forum

Hello,

I've installed opnsense yesterday for the first time and i'm very impressed by all the available features so a big thank you to everyone involved in the development of this amazing software.

I'm having an issue with Firewall Diagnostics (Sessions and States).

There are rules showing up which are completely unrelated to the Source/Destination. For example, under "States" a rule shows up for a port forwarding rule I have.

Direction is in, source is my iPhone (192.168.2.51) and destination is: 142.251.31.188:5228, State: ESTABLISHED:ESTABLISHED and the Rule is a port forwarding I have for SSH with source being an external IP and destination: 192.168.2.246/32

A similar issue is described here by another user https://forum.opnsense.org/index.php?topic=38152.0

Does anyone have any idea?

You may want to provide more information.

Please show your exact rules and diagnsotics information.

I am having the same issue... firewall rules seem to be working correctly however the listed rule under states and sessions is completely unrelated. Note that the listed rule under live firewall is correct. There are NUMEROUS of these that are incorrect. The printer one just stands out because I have that super locked down.

Example session:

Direction: in
Protocol: TCP
Source 192.168.30.13:39108
Gateway: Blank
Destination: 104.154.127.247:4070
State: Established:Established
Age: 198753 (sec)
Expires: 86396 (sec)
Pkts: (24.73 KB)
Bytes: 2.16 MB
Rule: Allow to printer
Allow to printer rule:

    <rule uuid="87c85b75-c5c4-4392-9480-1280518a8978">
      <type>pass</type>
      <interface>opt4,opt3,opt5,opt1,opt9</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Allow to printer</descr>
      <direction>in</direction>
      <category>Printer</category>
      <floating>yes</floating>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <address>MattPhone,MattDesktop,BrittanyPhone,BrittanyDesktop,BrittanyLaptop,opt1,opt9</address>
      </source>
      <destination>
        <address>Printer</address>
        <port>137</port>
      </destination>
      <updated>
        <username>root@192.168.5.140</username>
        <time>1742339249.5835</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@192.168.5.140</username>
        <time>1742339183.5002</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
Relevant Aliases:

Printer = 192.168.110.23

          <alias uuid="11725dcf-9635-4060-a57c-6eb581d43875">
            <enabled>1</enabled>
            <name>MattPhone</name>
            <type>host</type>
            <path_expression/>
            <proto/>
            <interface/>
            <counters>0</counters>
            <updatefreq/>
            <content>192.168.30.90</content>
            <password/>
            <username/>
            <authtype/>
            <categories/>
            <description>Matt Phone</description>
          </alias>
          <alias uuid="ab716668-ff02-43df-9924-5c2b4111e988">
            <enabled>1</enabled>
            <name>MattDesktop</name>
            <type>host</type>
            <path_expression/>
            <proto/>
            <interface/>
            <counters>0</counters>
            <updatefreq/>
            <content>192.168.5.140</content>
            <password/>
            <username/>
            <authtype/>
            <categories/>
            <description>Matt Desktop</description>
          </alias>
          <alias uuid="b6a10649-6875-4c3a-9212-e665e6be1a6c">
            <enabled>1</enabled>
            <name>BrittanyPhone</name>
            <type>host</type>
            <path_expression/>
            <proto/>
            <interface/>
            <counters>0</counters>
            <updatefreq/>
            <content>192.168.30.92</content>
            <password/>
            <username/>
            <authtype/>
            <categories/>
            <description>Brittany Phone</description>
          </alias>
          <alias uuid="3c7d5f60-e154-436f-a51a-c6853d01e446">
            <enabled>1</enabled>
            <name>BrittanyDesktop</name>
            <type>host</type>
            <path_expression/>
            <proto/>
            <interface/>
            <counters>0</counters>
            <updatefreq/>
            <content>192.168.40.10</content>
            <password/>
            <username/>
            <authtype/>
            <categories/>
            <description>Brittany Desktop</description>
          </alias>
          <alias uuid="1ae15403-2b03-4119-9ded-70bb007d7530">
            <enabled>1</enabled>
            <name>BrittanyLaptop</name>
            <type>host</type>
            <path_expression/>
            <proto/>
            <interface/>
            <counters>0</counters>
            <updatefreq/>
            <content>192.168.30.91</content>
            <password/>
            <username/>
            <authtype/>
            <categories/>
            <description>Brittany Laptop</description>
          </alias>
OPT1 is a wireguard interface for my phone on the 192.168.60.0/24 subnet.
OPT9 is a wireguard interface for my wife's phone on the 192.168.100.0/24 subnet.

Hope to get this figured out, seems like a number of people are experiencing this bug.

Edit: When I go to live firewall log and filter for "label: printer" I get only two matches, both of which are correct (from Matt Desktop to the printer).

This seems like a bug where it is miss associating rules.

Thanks

Well I consulted chatGPT and it suggested that I reset the states table (Firewall -> Diagnostics -> states -> "actions" tab -> reset state table.

Waited a while and the new table shows everything correctly. So it was some sort of mismatch of mismatch of states to rule labels, even though I think the rules were functioning correctly.

I'll leave this here in case anyone else has this issue.

yes i have this exact same issue, it's a real PITA, having to reset erroneous F/W states after F/W reboot, to have it handle outbound traffic in the correct F/W policy...OPNSense been doing this for quite sometime now...

The issue is very easy to replicate, with active LAN<>WAN traffic being handled by OPNSense,  just reboot or upgrade OPNsense ( which includes the reboot ), and once OPNSense is up after the reboot, will always see outbound traffic showing up in incorrect F/W rule set...Seems like a very obvious OPNsense F/W bug to me, given how easy it is to replicate...

Hmm, when you hover above the session rule name, the underlying link shows a rule ID (and can be followed).
Is it the wrong rule? The other possibility is that the lookup by the GUI is messed up.

Quote from: EricPerl on May 01, 2025, 10:22:45 PMHmm, when you hover above the session rule name, the underlying link shows a rule ID (and can be followed).
Is it the wrong rule? The other possibility is that the lookup by the GUI is messed up.

when clicking on the session rule name, it instead always takes you to Firewall: Settings: Advanced page, and not the rule itself.

running OPNsense 25.1.5_5-amd64

Weird. Isn't the link something like: https://opnsense.fqdn/firewall_rule_lookup.php?rid=d83b28858f6858c902e03b3c214cd444 ?

Quote from: EricPerl on May 02, 2025, 03:26:41 AMWeird. Isn't the link something like: https://opnsense.fqdn/firewall_rule_lookup.php?rid=d83b28858f6858c902e03b3c214cd444 ?

Looks like an additional bug to me...

Are things working fine on 25.1.4 ?

opnsense-revert -r 25.1.4 opnsense && /usr/local/etc/rc.filter_configure
No reboot required, but I would reset the states to be on the safe side.

Quote from: newsense on May 02, 2025, 07:24:09 AMAre things working fine on 25.1.4 ?

Code Select Expand

opnsense-revert -r 25.1.4 opnsense && /usr/local/etc/rc.filter_configure
No reboot required, but I would reset the states to be on the safe side.

No, 25.1.4 also suffers from the same bug.

Below has been my upgrade path on 25.1 on production OPNsense deployment, all versions below have the issue

root@OPNsense:~ # egrep -ai 'OPNsense.localdomain: OPNsense ' /var/log/system/*
/var/log/system/system_20250411.log:<13>1 2025-04-11T09:11:49+10:00 OPNsense.localdomain kernel - - [meta sequenceId="17"] <118>*** OPNsense.localdomain: OPNsense 25.1.3 (amd64) ***
/var/log/system/system_20250414.log:<13>1 2025-04-14T00:05:31+10:00 OPNsense.localdomain kernel - - [meta sequenceId="17"] <118>*** OPNsense.localdomain: OPNsense 25.1.5_4 (amd64) ***
/var/log/system/system_20250423.log:<13>1 2025-04-23T08:44:29+10:00 OPNsense.localdomain kernel - - [meta sequenceId="15"] <118>*** OPNsense.localdomain: OPNsense 25.1.5_5 (amd64) ***


Below has been the upgrade path on my staging LAB OPNSense deployment, also all versions below had the issue

root@OPNsense:~ # egrep -ai 'OPNsense.localdomain: OPNsense ' /var/log/system/*
/var/log/system/system_20250412.log:<13>1 2025-04-12T10:00:32+10:00 OPNsense.localdomain kernel - - [meta sequenceId="16"] <118>*** OPNsense.localdomain: OPNsense 25.1.4_1 (amd64) ***
/var/log/system/system_20250412.log:<13>1 2025-04-12T10:06:26+10:00 OPNsense.localdomain kernel - - [meta sequenceId="18"] <118>*** OPNsense.localdomain: OPNsense 25.1.5_4 (amd64) ***
/var/log/system/system_20250422.log:<13>1 2025-04-22T13:09:30+10:00 OPNsense.localdomain kernel - - [meta sequenceId="16"] <118>*** OPNsense.localdomain: OPNsense 25.1.5_5 (amd64) ***
root@OPNsense:~ #

Even 24.7 releases also have this issue...i posted about it over here -> https://forum.opnsense.org/index.php?topic=45338.0