OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: dibun on April 11, 2019, 05:50:57 pm

Title: Firewall rules changed on reboot
Post by: dibun on April 11, 2019, 05:50:57 pm

I have HW from Pcengines and it has 3 ports

1. WAN (1st port) wan/igb0
2. LAN (2nd port) opt1/igb1
3. DMZ (3rd port) opt2/igb2
4. Guest (VLAN 10 on LAN port) opt4/igb1_vlan10

Recently during one of the reboots, the LAN traffic started flowing via Guest VLAN and everything got blocked. The only way to allow is to shut down the firewall or allow LAN net firewall rules under guest VLAN.

I did reinstall and configured from scratch and it worked but now it happened again after the reboot.

I am running the latest production release.

igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
   ether 00:0d:b9:51:0b:fd
   hwaddr 00:0d:b9:51:0b:fd
   inet6 fe80::20d:b9ff:fe51:bfd%igb1 prefixlen 64 scopeid 0x2
   inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active

igb1_vlan10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 00:0d:b9:51:0b:fd
   inet6 fe80::20d:b9ff:fe51:bfd%igb1_vlan10 prefixlen 64 scopeid 0x9
   inet 10.2.1.1 netmask 0xffffff00 broadcast 10.2.1.255
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
   vlan: 10 vlanpcp: 0 parent interface: igb1
   groups: vlan

Export from backup XML
LAN rule
----------------------
<rule>
      <type>pass</type>
      <interface>opt1</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>HTTP</descr>
      <protocol>tcp</protocol>
      <source>
        <network>opt1</network>
      </source>
      <destination>
        <any>1</any>
        <port>80</port>
      </destination>
      <updated>
        <username>root@10.1.1.5</username>
        <time>1554540266.7673</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.1.1.5</username>
        <time>1554540266.7673</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>

Guest VLAN
--------------

<rule>
      <type>pass</type>
      <interface>opt4</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Default allow LAN to any rule</descr>
      <source>
        <network>opt4</network>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@192.168.1.4</username>
        <time>1553809108.1252</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@192.168.1.4</username>
        <time>1553809108.1252</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
      <disabled>1</disabled>
    </rule>



Any help is really appreciated