Today my ISP had a issue, everything was down.
After they fixed it i noticed that i couldn't reach some sites, like steam, bredbandskollen
tv4.. list goes on.
Ping worked, dns no issues.
So i looked at wireshark..
Concluded that firewall dint let the remote sites talk back
To confirm i brought out my old OpenBSD firewall/router
No issues. everything worked.
So what happened?
Today there was a automatic rule created
a" any to any " deny rule
Searching to find a way to reset that table
TLDR
Remove the rules created today.
It has worked perfectly until my isp had a
mishap
some more info would be helpful..
are you referring to the Default deny / state violation rule ? or some other rule ?
I've tested the scenario, (many times) in both LAB and production, where ISP goes down, then comes back up and haven't' had any issues...OPNsense recovered the WAN interface and L2 and L3 topology automatically, gateway monitor also always recovers automatically as expected, and haven't observed any automatic rule changes...
If you restart OPNsense, or make a F/W rule change, there is a known issue, where the F/W state tables rule's can get out of sync, necessitating a F/W state table reset....in Firewall: Diagnostics: States -> Actions 'Reset state table'
Quote from: hharry on August 15, 2025, 05:22:14 AMsome more info would be helpful..
are you referring to the Default deny / state violation rule ? or some other rule ?
I've tested the scenario, (many times) in both LAB and production, where ISP goes down, then comes back up and haven't' had any issues...OPNsense recovered the WAN interface and L2 and L3 topology automatically, gateway monitor also always recovers automatically as expected, and haven't observed any automatic rule changes...
If you restart OPNsense, or make a F/W rule change, there is a known issue, where the F/W state tables rule's can get out of sync, necessitating a F/W state table reset....in Firewall: Diagnostics: States -> Actions 'Reset state table'
Thank you for suggestions to perform a reset of the state tables,
But that didn't help am i afraid
Are we saying that this deny rule has existed since i configured the FW?
It sure goes to work when i reload a page like bredbandskollen.se :)
It has worked fantastic for over a year, 4 month ago i added a Wireguard connection
that's only special thing about my firewall
Quote from: j0xter on August 15, 2025, 07:30:11 AMAre we saying that this deny rule has existed since i configured the FW?
Yes. Like any firewall the default policy is "deny anything which is not explicitly allowed". This is achieved by this default rule which matches last.
You might want to check your allow rules - it seems they do for some reason not match connecting to the site you mentioned with your browser. Do you have Geo IP in your allow rules?
Quote from: Patrick M. Hausen on August 15, 2025, 09:55:31 AMQuote from: j0xter on August 15, 2025, 07:30:11 AMAre we saying that this deny rule has existed since i configured the FW?
Yes. Like any firewall the default policy is "deny anything which is not explicitly allowed". This is achieved by this default rule which matches last.
You might want to check your allow rules - it seems they do for some reason not match connecting to the site you mentioned with your browser. Do you have Geo IP in your allow rules?
What is the best way to list the rules in terminal?
So we might get a productive thing going
I haven't touched anything like that.
Only rule change ive made is to allow Wireguard
And that was 4 month ago.