Print Page - Why is this connection blocked by the FW (after 24 to 25.4.2 bus.ed. upgrade)?

Title: Why is this connection blocked by the FW (after 24 to 25.4.2 bus.ed. upgrade)?
Post by: gctwnl on August 27, 2025, 11:57:18 AM

I recently updated to 25.4.2 Business Edition from 24.x Business Edition and it seems this has somehow made OPNsense block something it should not. I must stress 'seems' as I really suspect this is probably my problem, but I have been unable to understand what is going on. This is a bit of a pressing issue for me, as this blocks my upcoming LE certificate renewals.

I have a system on the inside that provides a DNS server on port 953 (this is for ACME DNS challenge and it runs alongside a regular internal DNS that listens on port 53, only reachable on the LAN). The ACME DNS challenge server works and internally is reachable internally on that server on port 953.

I have a NAT Port Forwarding rule that maps an outside port 53 on the WAN interface of one of my public IPs to an inside server port 953.

But when I try to reach the ACME DNS challenge server from the outside (and I have been running this without issue in 24.x for years, which is why I am now suspecting the upgrade) the traffic is blocked by the default deny rule. Hence, LE certificate updating has stopped working as LE cannot reach my ACME DNS Challenge server.

There is a FW rule on the WAN interface that explicitly passes it, but it seems not to be triggered:

Code Select

@96 pass in log quick on igb0 inet proto tcp from <countries_letsencrypt_allowed:0> to <wan_vanroodewierda_rna_nl:1> port = domain flags S/SA keep state label "216b045bfd3fbe399846a0acb206d45b"
evaluations: 5
packets: 0
bytes: 0
states: 0
inserted: uid 0 pid 74119
state_creations: 0
time: n/a
@97 pass in log quick on igb0 inet proto udp from <countries_letsencrypt_allowed:0> to <wan_vanroodewierda_rna_nl:1> port = domain keep state label "216b045bfd3fbe399846a0acb206d45b"
evaluations: 0
packets: 0
bytes: 0
states: 0
inserted: uid 0 pid 74119
state_creations: 0
time: n/a

Any ideas where to look? Could this be a bug in 25.4 Business Edition?

Title: Re: Why is this connection blocked by the FW (after 24 to 25.4.2 bus.ed. upgrade)?
Post by: gctwnl on August 27, 2025, 03:44:32 PM

Addition:

Connecting from inside to the internal server on port 953 with dig works
Connecting from inside to the internal server using hairpin (so outside IP address) on port 53 times out, but does not show a log entry from the firewall that it has been blocked
Connecting from the outside to the outside IP address on port 53 times out and does show a firewall block log message on the default blocking rule

OPNsense Forum

English Forums => 25.1, 25.4 Series => Topic started by: gctwnl on August 27, 2025, 11:57:18 AM