OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: andbaum on February 03, 2019, 06:12:16 pm

Title: SOLVED: OPNSense blocks internal LAN to LAN traffic
Post by: andbaum on February 03, 2019, 06:12:16 pm

In my firewall logs, I often see blocked packets going from an internal LAN device to another internal LAN device.
My questions:
1) Why does OPNsense see those packets? They should be switched and never meet the firewall?!?
2) I wrote a "SRC: LAN_NET DST: LAN_NET allow any" rule, but I didn't change the logging behavior.

Within the LAN everything seems to work.

Can you give me some feedback?

Yours,

Andreas

Title: Re: OPNSense blocks internal LAN to LAN traffic
Post by: rabievdm on February 04, 2019, 02:04:38 pm

Hi,

Going to have to guess here, but...
WRT why is the firewall seeing it:
-) I'm going to assume you dont have some odd subnetting issue on your 10.0.0.10 server which is trying to route everything back to the clients.
-) From the info I see that the TCP Flags RA is set, see the following:
https://forum.opnsense.org/index.php?topic=4622.0
This suggests that either the firewall is seeing asymmetric traffic or was restarted. Seeing as both devices are internal I'm again leaning towards somehow your only seeing part of the conversation? Do you know if this might be a custom solution? Or somehow broadcasts (although it being TCP and looking at the port numbers I would be less inclined to go with that argument.

Title: Re: OPNSense blocks internal LAN to LAN traffic
Post by: andbaum on February 04, 2019, 02:30:13 pm

Thanks for your comment.

Actually I was able to get rid of the log entries as I set the state tracking for my "LAN to LAN allow any rule" to none.

But I still wonder, why my firewall (= gateway with 10.0.0.1) sees switched (Netgear ProSafe) traffic between internal LAN devices?
(The 10.0.0.10 server was only in this example, I randomly see other internal IPs being blocked to each other).

Title: SOLVED: OPNSense blocks internal LAN to LAN traffic
Post by: andbaum on February 04, 2019, 02:43:42 pm

Shame on me...  ::)
I solved it. 483 days uptime on the switch -> after a reboot of the switch, the FW doesn't see any local to local packets any more...

Yours, Andreas

Title: Re: SOLVED: OPNSense blocks internal LAN to LAN traffic
Post by: rabievdm on February 04, 2019, 06:15:55 pm

Hahahaha, glad you solved it.
Although maybe time for some fresh firmware on the switch or as much as I hate the practice ... a reboot schedule :)

Title: Re: SOLVED: OPNSense blocks internal LAN to LAN traffic
Post by: franco on February 05, 2019, 09:21:37 am

Arcane fix, but not unheard of. Sounds like the MAC table was full and the switch was broadcasting on all ports throwing off the state tracking or even triggering the spoof detection.


Cheers,
Franco