Hello,
I have an issue that I could not find the culprit to that is driving me crazy.
In the live log I get a "Default deny / state violation rule" from a my local NAS that
is on my LAN network and should not block this port.
64 = NAS
20 = OpnSense LAN interface
LAN In 2026-07-15T21:40:22 TCP 192.168.x.64:56672 192.168.x.20:80 block Default deny / state violation rule
Other IPs in my LAN does not have any issues accessing port 80 on .20
I am using the latest OPNsense 26.1.11_10-amd64 and is using the new upgraded style rules.
I even have a "Default allow LAN to any rule" enabled but also tried a separate LAN_HOME to LAN_HOME alias firewall for both in and out.
And have also made a specific to .64 but still same issue.
Is there anyone that could point me in the right direction why this only happens from one device and not all ?
I do have CrowdSec and Q-Feed plus a few others but have tested to switch off Intrusion Detection (suricata)
I have talked a bit with ChatGPT and it gave me some hints.
As the entry in the live log contains only A (ACK) it could be:
An ACK packet means:
It is not the start of a TCP connection (which would be a SYN packet).
It is trying to continue an existing TCP session.
OPNsense/PF is saying: "I don't have a state for this connection," so it logs Default deny / state violation rule and drops the packet.
1. The state expired. This is very common with browsers that reuse keep-alive connections.
2. NAS kept the connection alive - Many NAS devices (especially Synology and QNAP) maintain persistent HTTP/HTTPS sessions.
This is most likely the culprit.
In other words, PF expected a state entry that no longer exists.
//Dan Lundqvist
Stockholm, Sweden
Could you post the details of a blocked packet?
Quote from: Patrick M. Hausen on July 15, 2026, 09:58:38 PMCould you post the details of a blocked packet?
Sure. But see my updated comments as well in main thread.
__timestamp__ 2026-07-15T22:01:22
ack 3617553731
action [block]
anchorname
datalen 0
dir [in]
dst 192.168.x.20
dsthostname
dstport 80
ecn
id 13194
interface em1
ipflags none
ipversion 4
label Default deny / state violation rule
length 40
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 5
seq
src 192.168.x.64
srchostname
srcport 47713
status 2
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 44
urp 1024
//Danne
These packets should not go through the firewall at all if 192.168.x is the same x for both systems. I'd first check the netmasks/prefix-lengths of both systems.
Quote from: Patrick M. Hausen on July 15, 2026, 10:08:43 PMThese packets should not go through the firewall at all if 192.168.x is the same x for both systems. I'd first check the netmasks/prefix-lengths of both systems.
Both OpnSense (.20 LAN) and NAS (.64) is in same net and do have same netmask in both machines.
Also the NAS has .20 as default GW and it is working. Running both from outside in to webserver (NAT) but also from inside to other Synology NAS remote.
//Dan
How many Interfaces does your NAS have ?
Usually this kind of stuff leads to A-Sync Routing issues that need to be solved...