OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: finish06 on March 08, 2019, 03:22:42 pm

Title: Firewall Assistance - Pass sometimes, not always
Post by: finish06 on March 08, 2019, 03:22:42 pm

What would cause the below issue?  Ports on the firewall are set to '*'.

Thanks!

Title: Re: Firewall Assistance - Pass sometimes, not always
Post by: franco on March 08, 2019, 03:24:26 pm

Asymmetric routing or faulty switching. The default deny rule will block connections that don't have a correct TCP state so it doesn't see all packets belonging to the connection.

There are a number of threads in this forum about it, look for "default deny" and "state tracking disable".


Cheers,
Franco

Title: Re: Firewall Assistance - Pass sometimes, not always
Post by: finish06 on March 08, 2019, 04:04:58 pm

Thank you for the prompt reply!  I was struggled to search for anything meaningful.  I think it is asymmetrical routing.  While I am not sure what that is exactly, changing the state type to none fixed the issue.  I found the information on this forum:
https://forum.opnsense.org/index.php?topic=9136.msg40997#msg40997

Title: Re: Firewall Assistance - Pass sometimes, not always
Post by: franco on March 08, 2019, 04:41:01 pm

It would mean packets (usually one direction, sometimes more fuzzy than this) find another way to the OPNsense than the assigned network port where they are supposed to appear and "confuse" the state tracking, causing it to invalidate the connection because the TCP is not well-formed.

From an end user perspective this doesn't matter, from a network design and security standpoint that can pose problems. Sometimes it can be a switch that is flooding due to full MAC tables.


Cheers,
Franco