OPNsense Forum
English Forums => General Discussion => Topic started by: JRC on June 04, 2020, 09:55:15 pm
-
I am sure this is just my lack of understanding but I seem to have this odd situation where opnSense is ignoring an explicit allow rule, but if I toggle it to a deny rule, then it evaluates.
I have client 172.17.100.51, trying to talk to client 172.17.100.50. They are both on the same VLAN interface on opnSense.
This traffic is being denied by the default deny rule, so I went in and created a first match explicit allow rule. Any type of traffic from 51 -> 50 is set to be allowed, the rule is enabled and set to log.
OpnSense appears to completely ignore this rule, it never shows up in the live view, and the default deny rule blocks the traffic.
Here is where it gets odd. If I change the rule from pass to block and jump back to the live view the rule works, and I can see the traffic being blocked by that rule. Switch it back allow, and once again the default deny rule kicks in and traffic is blocked.
I have other allow rules on other VLAN interfaces that do work, so I am baffled by this. Any ideas on what I am doing wrong?
-
As you are saying VLANs, are these clients connected via a managed switch?
-
As you are saying VLANs, are these clients connected via a managed switch?
Yes, a Cisco 3560x, but the traffic is being blocked by the firewall on opnSense (they are coming in on the same VLAN interface), so I am not sure this is the issue.
-
if its client to client on the same subnet it has S.F.A to do with the firewall, it's point to point. Check the managed switch settings & firewall settings on your clients, start by pinging one from the other, if that works yet something like a web server doesn't then there's an issue with firewall or server settings... windows firewall for example can be an absolute P.I.T.A at times.
-
if its client to client on the same subnet it has S.F.A to do with the firewall, it's point to point. Check the managed switch settings & firewall settings on your clients, start by pinging one from the other, if that works yet something like a web server doesn't then there's an issue with firewall or server settings... windows firewall for example can be an absolute P.I.T.A at times.
It is client to client on the same subnet, but the firewall is blocking it. It shows up in the Firewall live view. There is nothing on the switch that is blocking it and the clients do no have firewalls enabled. On other subnets the client to client traffic does not even touch the firewall, but for some reason in this case it does, and when it does the FW blocks.
But, none of this explains why opnSense is ignoring the rule when it is allowed, but processing and executing it when it is blocked.
And for the record I am able to ping between these two clients just fine. Not other clients have issue communicating directly on this subnet.
-
Here is a picture of the FW Live View. This is with the explicit allow rule in place on the interface.
-
Your're missing point. If the clients are on the same subnet, in your case 172.17.100.0 then any communication between those two clients does NOT go via the firewall, it goes direct from client to client.
172.17.100.50 will talk directly to 172.17.100.51 and vice versa. You can remove the Opnsense firewall from the network and as long as they have those addresses they will talk to each other. It's being denied as the firewall will not repeat the packets back onto the network, remove that rule it's totally pointless.