OPNsense Forum

English Forums => General Discussion => Topic started by: shaam on July 19, 2025, 10:59:43 PM

Title: Firewall is blocking outbound traffic despite of having destination any
Post by: shaam on July 19, 2025, 10:59:43 PM
Hello community,
Over the last few days, I have been noticing a weird issue with the Opnsense firewall. It's blocking outbound traffic intermittently. I don't know it started but I have noticed two days ago when try to install package in a VM. It works for few minutes then block the traffic then work again. It's going on and off. I have a rule for the LAN interface as a destination, but it's blocking the traffic. I thought it might be a bug, so I updated the Opnsense instance, but I am still having the issue. Do I need to add any additional rules or update the existing ones? I am attaching screenshots for the rule and traffic screen. Can someone please help? Thanks,
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: patient0 on July 20, 2025, 05:36:26 AM
Can you provide more information about your system?

Are you OPNsense latest, 25.1.11? Is your 'LAN net' 192.168.50.0/24? How is WAN configured and what is the host system the VM is running on? How have you configured the host interfaces the VM is running on? What other firewall rules do you have: floating, NAT, port forwarding, limiters?

On LAN you have the default allow-all from 'LAN net' rules for IPv4 and IPv6 which does allow all traffic from the 'LAN net' to everywhere.
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: shaam on July 20, 2025, 11:48:33 PM
Yes, it's the latest 25.1.11. The LAN subnet is 192.168.1.0/24, and 192.168.50.0/24 is a VLAN. LAN and VLAN have the same rule, which allows all traffic to everywhere. The VM is running on RHEL9. It has DNS, NRPE, SSH services allowed, and 5666/tcp, 1514/tcp, 1515/tcp, 55000/tcp, 123/udp, 4460/tcp ports allowed from the firewall. VM interface configured with static IP 192.168.50.202, and Gateway 192.168.50.1, and IPv6 is disabled. I don't have any other firewall rules; it has its default rules. Attaching screenshot for WAN and NAT. Thanks
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: patient0 on July 21, 2025, 07:17:42 AM
Quote from: shaam on July 20, 2025, 11:48:33 PMThe LAN subnet is 192.168.1.0/24, and 192.168.50.0/24 is a VLAN
If your 'LAN net' is 192.168.1.0/24 then traffic originating from VLAN 192.168.50.0/24 is not allowed with the rule you have. And that's what you are seeing in the screenshot from the first post: source 192.168.50.202 (but on LAN), direction in. Since you only allow 'LAN net' as source, the traffic is blocked.

I'd say you have an issue with the VLAN configuration.

QuoteVM interface configured with static IP 192.168.50.202, and Gateway 192.168.50.1
192.168.50.0/24 is on WAN?
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: meyergru on July 21, 2025, 08:49:04 AM
You followed all advice here (https://forum.opnsense.org/index.php?topic=44159.0)?

BTW: If you absolutely need the VLAN, because you do not have enough physical adapters, I would still configure two vtnet adapters for LAN and WAN, i.e. I would seperate the VLAN out at the Proxmox level, That is because of point 3 here (https://forum.opnsense.org/index.php?topic=42985.0).
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: shaam on July 22, 2025, 04:45:34 AM
Quote from: patient0 on July 21, 2025, 07:17:42 AM
Quote from: shaam on July 20, 2025, 11:48:33 PMThe LAN subnet is 192.168.1.0/24, and 192.168.50.0/24 is a VLAN
If your 'LAN net' is 192.168.1.0/24 then traffic originating from VLAN 192.168.50.0/24 is not allowed with the rule you have. And that's what you are seeing in the screenshot from the first post: source 192.168.50.202 (but on LAN), direction in. Since you only allow 'LAN net' as source, the traffic is blocked.

I'd say you have an issue with the VLAN configuration.

QuoteVM interface configured with static IP 192.168.50.202, and Gateway 192.168.50.1
192.168.50.0/24 is on WAN?
In order to make it work, do I need to include VLAN50 in the source for LAN?
No 192.168.50.0/24 is not on WAN. It's a VLAN. I am attaching the screenshots for VLAN. What configuration needs to change? Thanks,
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: patient0 on July 23, 2025, 06:38:50 AM
Quote from: shaam on July 22, 2025, 04:45:34 AMn order to make it work, do I need to include VLAN50 in the source for LAN?
No, that is not necessary. Traffic from VLAN50 should never appear as the source on the LAN interface. VLAN configuration on the switches is not how it should be. Can you provide a diagram of your network, the switch VLAN configuration and how the client is connected (as a VM? Host OS, interfaces/bridges?)


Have you read the link @meyergru posted? It is strongly recommended not to have tagged and untagged traffic on the same interface.
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: shaam on July 26, 2025, 10:58:43 PM
Quote from: patient0 on July 23, 2025, 06:38:50 AM
Quote from: shaam on July 22, 2025, 04:45:34 AMn order to make it work, do I need to include VLAN50 in the source for LAN?
No, that is not necessary. Traffic from VLAN50 should never appear as the source on the LAN interface. VLAN configuration on the switches is not how it should be. Can you provide a diagram of your network, the switch VLAN configuration and how the client is connected (as a VM? Host OS, interfaces/bridges?)


Have you read the link @meyergru posted? It is strongly recommended not to have tagged and untagged traffic on the same interface.
Yes, I read his recommendation. VLAN port is 6, which is untagged. The client VM (RHEL9) is connected on port six from the switch. Here is a screenshot of the switch configuration. Thanks
(https://i.postimg.cc/7hbq1CzN/Switch-07262025.png) (https://postimages.org/)
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: patient0 on July 27, 2025, 07:25:30 AM
Quote from: shaam on July 26, 2025, 10:58:43 PMYes, I read his recommendation.
One of the points in it is that you don't run tagged and untagged traffic on the same port, but on port 1 that is what you are doing. If you have enough ports on your OPNsense router then it's best to move all the VLANs onto its own port and leave only the untagged traffic on port 1.

Quote from: shaam on July 26, 2025, 10:58:43 PMVLAN port is 6, which is untagged. The client VM (RHEL9) is connected on port six from the switch. Here is a screenshot of the switch configuration.
That part of the switch configuration does look good. What have you set in '802.1Q PVID Settings', specifically have you set the PVID to 50 on port 6?
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: shaam on August 27, 2025, 07:44:46 PM
My apologies, I had some health issues. Here is a screenshot of the PVID Setting for the switch. Thanks
(https://i.postimg.cc/661Rt2G7/Screenshot-2025-08-27-103807.png) (https://postimages.org/)
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: patient0 on August 30, 2025, 08:38:01 AM
Hope you are doing ok, health wise.

Quote from: shaam on August 27, 2025, 07:44:46 PMHere is a screenshot of the PVID Setting for the switch
The settings are correct on the switch.

Your OPNsense router is a physical device, not a VM, yes? Do you have an unused port on it where you can move the VLAN tagged traffic?

Right now you have VLAN50 traffic on LAN and that should not happen.

From what you have set the following should happen: on your VM the traffic leaves the hypervisor (btw: what hypervisor?) untagged, gets tagged with VLAN tag 50 on entering port 6 of your switch and leaves port 1, still tagged with VLAN50. On the OPNsense on port igb0 it is still tagged with VLAN50 and traffic is handled by OPNsense interface 'vlan04'.

But as your very first screenshot shows, VLAN50 traffic arrives on the 'LAN' interfaces, sometimes, and that should not be possible with your configuration. And it indicates an issue on L2, e.g. switch.

You wrote that the VM has a static IP configuration of 192.168.50.202. Is it a static DHCP mapping or did you set it on the VM itself?
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: shaam on September 03, 2025, 02:13:20 AM
Yes, it's a physical device. It's a Dell PC, to be specific.
I am using Proxmox hypervisor.
I set a static IP on the VM itself.

Promox server has two interfaces, vmbr0 with subnet 192.168.1.1/24, which I use for management, the second interface, vmbr1 (for Proxmox) with subnet 192.168.50.1/24, which is a VLAN, is used by VMs and other external servers outside of Proxmox, such as Truenas, Backup server, etc. Traffic from VLAN to LAN gets blocked or vice versa.
I have a weird theory. It might have something to do with routing when VM 192.168.50.202 sends traffic to Proxmox (192.168.1.100) or any server on the LAN subnet, the packet goes from VM -> Opnsense-> Proxmox. Proxmox receives it on vmbr0. Proxmox replies to VM. Since Proxmox also has a direct connection to 192.168.50.0/24 (via vmbr1), it bypasses Opnsense and attempts to communicate directly with the VM. I might be wrong.
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: meyergru on September 03, 2025, 09:45:19 AM
Proxmox will not do that unless you misconfigured it to have an address for that second VLAN assigned to it. In that case, it can pass traffic to the VM directly.
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: patient0 on September 06, 2025, 07:56:45 AM
Quote from: shaam on September 03, 2025, 02:13:20 AMI have a weird theory. It might have something to do with routing
Do you have IP address and gateway for the bridges on Proxmox? If yes then as @meyergru mentioned that is possible. Can you remove IP and gateway from vmbr1 on Proxmox?
Title: Re: Firewall is blocking outbound traffic despite of having destination any
Post by: shaam on September 08, 2025, 06:04:47 PM
I removed the IP address from the second bridge vmbr1, and it fixed the issue. It seems like the firewall was blocking on-and-off traffic from VLAN 192.168.50.1/24 to 192.168.1./24. When I SSH from VM1 (192.168.50.222) to Proxmox (192.168.1.100) or any VM on the subnet 192.168.1.0/24, it blocks traffic, but not permanently. After a few minutes, it unblocks and then blocks again, causing the issue to be on and off. I don't know the explanation; I guess something has to do with routing, but because of you guys, now I know I don't have to include the IP address in the second bridge.
I have a little knowledge of networking and am planning to prepare for the Network+ certification sometime soon. Is there any OPNsense tutorial or YouTube video that I can learn more about it? I prefer video since I am a visual learner.
Thank you so much for helping. I must say this is one of the best forums that I have ever used. Keep doing the great work. Thanks