OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Antaris on February 13, 2019, 10:00:23 pm

Title: How to edit the notorious "Default deny rule"
Post by: Antaris on February 13, 2019, 10:00:23 pm

Hi felas,

i have a problem behind several routers with accessing Dahua DVR/NVRs by serial number (Dahua's DDNS).
Edited Firewall>>LAN>>Advanced>>State>>State Type to 'none' and the default deny rule still kicks in :(
Any clue?

p.s. it's all about asymmetrical routing. Is there a way to allow it for sure?

Title: Re: How to edit the notorious "Default deny rule"
Post by: CloudHoppingFlowerChild on February 16, 2019, 11:00:16 pm

First, "Firewall>>LAN>>Advanced>>State>>" doesn't seem to correspond to the menus that exist in OPNsense 19.1

Second, the default deny is the fundamental function of every firewall in existence. You must make rules to allow traffic.

Title: Re: How to edit the notorious "Default deny rule"
Post by: Antaris on February 18, 2019, 09:33:53 am

After disable state tracking in numerous places, now Default deny rule changed from rulenr 6 to rulenr 8. Still no-go. What is rulenr 8?

Title: Re: How to edit the notorious "Default deny rule"
Post by: chemlud on February 18, 2019, 10:05:46 am

I don't really understand what you want with the default deny rule, turn it off? That can be achieved, but your problem is in your word asymmetrical routing.

Title: Re: How to edit the notorious "Default deny rule"
Post by: Antaris on February 18, 2019, 06:08:00 pm

Quote from: chemlud on February 18, 2019, 10:05:46 am

...your problem is in your word asymmetrical routing.

That's exactly i want to allow. We build many Dahua surveillance systems and connect them to a SmartPSS on a PC in our shop(behind the OPNsense) by a serial number with corresponding user and password. When the SmartPSS tryes to connect, it sends request to Dahua P2P servers, then Dahua P2P servers contact the corresponding NVR/DVR, which is registers in Dahua servers via UPnP on random ports behind their router, and corresponding NVR/DVR tryes to connect to SmartPSS, but can't because of "Default deny rule"
With simple router and with IPFire that works out of the box.

Title: Re: How to edit the notorious "Default deny rule"
Post by: amichel on February 18, 2019, 06:45:02 pm

Hi,
did you try to install the upnp (os-upnp ) package? This might assist you in dynamically open ports per upnp.

amichel

Title: Re: How to edit the notorious "Default deny rule"
Post by: Antaris on February 18, 2019, 10:18:53 pm

All of the routers that are in front of the NVR/DVRs are with enabled UPnP and i have no problem to access them from anywhere else. The problem is when i try to access them when i am behind OPNsense firewall. If i am behind plastic router or mobile network or even IPFire i have no problem. Default deny rule - rulenr 6 or rulenr 8 :(

Title: Re: How to edit the notorious "Default deny rule"
Post by: jafinn on February 19, 2019, 01:18:59 pm

Just add a rule allowing all traffic? Firewall rules are executed on first match so then the deny rule shouldn't matter.

Title: Re: How to edit the notorious "Default deny rule"
Post by: Antaris on April 23, 2019, 08:32:35 pm

The problem still persists when we have a Dahua DVR behind OPNsense router and we try to access it from internet. UPnP is enabled. This time "rulenr" is 15.
Where we can find a complete list with explanations of each rule number that falls in the group "Default Deny Rule"?

Title: Re: How to edit the notorious "Default deny rule"
Post by: chemlud on April 24, 2019, 09:04:57 am

RE rule no. see here:

https://forum.opnsense.org/index.php?topic=10763.msg49741#msg49741