Hi all,
I'm seeing filtering problems and I wonder if this is due multi-vlans / routing, filtering and states.
let me explain my configuration, with 2 opnsense in HA
- I have several server groups: web, db, haproxy, ...
- Each server has an address in the 192.168.0.0/24 LAN (which I call vlan back) for SSH access by administrators to these servers, as well as the
NAT output to the Internet. The default GW on this network is 192.168.0.254, which is a VIP CARP with NAT to the Internet.
- Each server group has its own vlan (which I call vlan front), for example web 10.10.0.0/24, data 10.10.10.0/24, haproxy 10.10.100.0/24. It's on this VLAN that services (http for web servers, for example) are exposed and filtered. For each of these vlans, there is a GW (VIP CARP) x.x.x.254 to enable routing between these vlans. And each server has a network route:
10.10.0.0/16 via x.x.x.254 <- it's own gateway in its own vlan, for example 10.10.0.254 for web servers.
- I have filtering rules between vlans, for example I authorize "WEB net" (10.10.0.0) to connect to TCP port 27017 on "DATA net" (10.10.10.0)
All this seems to be working, except that we're seeing very randomly in the logs connections that don't go through (timeout) and on opnsense logs there is some blocks on connections that are actually authorized (e.g. web to data port 27017) with TCP flag R.
I'm wondering if there isn't some kind of asymmetrical routing, with each VLAN having its own GW in its network. But I've tried disabling the "states rules" in the filtering rules and it's no better.
Translated with DeepL.com (free version)