Print Page - Crowdsec & floating rules appear as Default Deny in 26.1

Title: Crowdsec & floating rules appear as Default Deny in 26.1
Post by: cyb_tachyon on April 29, 2026, 10:16:56 PM

Crowdsec and floating rules appear as "Default deny / state violation" in 26.1 logs. This makes it incredibly difficult to troubleshoot.

To reproduce, enable Crowdsec plugin and defaults.
Whitelist your local host IPs (192.168.1.0/24).
Start docker instances that use port forwarding for a range of port connections.
Note that the docker instances will be blocked from outgoing traffic on those ports after Crowdsec makes a decision to block.
Note that the logs do NOT indicate this, and instead treat all Crowdsec decision floating rules as "Default deny / state violation".

Desired result: Floating rules are logged by their origin (plugin name or automatic), or if not possible, floating rules appear as "Floating Rule".
Workaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).

Related threads:

https://forum.opnsense.org/index.php?topic=38822.0
https://forum.opnsense.org/index.php?topic=45838.0

Network Setup:

OPNSense 26.1.6_2 latest on a AMD SoC, 3 Intel NICs.
NIC 0 to Cable Modem (WAN).
NIC 1 to 10G home network, 10G dumb switches no other routing equipment (LAN).
No VLANs or anything yet. Still haven't graduated from basic networking.
Debian 13 on an Intel NIC large host.
Multiple other PCs wired in.

OPNsense Setup:

IPV6 disabled (some of the PCs and apps have a fit and refuse to work on IPV6).
Unbound DNS installed, enabled, and set up with overrides that match aliases.
Aliases set up for IPV4 for Debain 13 PCs.
ACME Client installed and configured.
CrowdSec installed and configured with whitelist for 192.168.1.106.
ISC DECHPv4 migrated from 25.
NAT (New) migrated from 25, old rules removed.

Debian 13 Setup:

Default settings for the NIC.
Default settings for Docker install (bridge mode NAT).
Using a docker instance to start port scanning-like activity.

Title: Re: Crowdsec & floating rules appear as Default Deny in 26.1
Post by: nero355 on April 29, 2026, 11:55:16 PM

Quote from: cyb_tachyon on April 29, 2026, 10:16:56 PMWorkaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).

Debian 13 Setup:
Default settings for Docker install (bridge mode NAT).

Why not use MACVLAN for Docker and maybe not have this issue ?!

A lot of Docker users I know use it and recommend it to pretty much everyone too! :)

OPNsense Forum

English Forums => General Discussion => Topic started by: cyb_tachyon on April 29, 2026, 10:16:56 PM