OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: dinguz on October 05, 2020, 07:08:26 pm

Title: dropped outgoing traffic while not filtering AFAIK
Post by: dinguz on October 05, 2020, 07:08:26 pm

I am seeing dropped outgoing traffic, only on port 443. This baffles me because AFAIK I'm not filtering outgoing traffic. It's dropped by the default deny rule, so it's kind of hard to see on which basis it's being blocked. 
Does anyone have an idea where to look?

Title: Re: dropped outgoing traffic while not filtering AFAIK
Post by: binaryanomaly on November 08, 2020, 02:34:53 pm

I am seeing exactly the same behaviour and I'm wondering why, since I do allow currently LAN traffic to anywhere.
I can't see why this traffic is blocked. Wonder if it's related to this: https://forum.opnsense.org/index.php?topic=19947.msg92119#msg92119 (german)

Have you solved the issue in the meanwhile?

Title: Re: dropped outgoing traffic while not filtering AFAIK
Post by: dinguz on November 08, 2020, 08:01:36 pm

It's not completely gone, but it got better with 20.7.4. I presume it has something to do with this entry in the changelog: 'firewall: associated NAT rules missed state keyword'.
Have you noted any differences in 20.7.4?

Title: Re: dropped outgoing traffic while not filtering AFAIK
Post by: binaryanomaly on November 08, 2020, 08:53:50 pm

I have tbh only observed it today while I was trying out the Sky app for the first time and it kept acting super weird - sluggish playback up to loss of connection.
 
A quick check of the fw log surfaced lots of "Default deny rule" entries for what looked to be absolutely legitimate traffic.

Weird enough it seems to be completely gone by now...

Title: Re: dropped outgoing traffic while not filtering AFAIK
Post by: Fright on November 09, 2020, 08:01:52 am

Quote

'firewall: associated NAT rules missed state keyword'.

doesn't seem to be relevant to the problem
any chance that you have some sort of asymmetric routing?

Title: Re: dropped outgoing traffic while not filtering AFAIK
Post by: dinguz on November 09, 2020, 09:05:47 am

I presume the problem is that the packets are possibly valid, but that they are somehow not matched with existing connections (the 'keep state' stuff). I don't have asymmetric routing, it's a fairly simple cable modem which connects to the ISP. The modem is in bridge mode, so there is no NAT-after-NAT as well.

Title: Re: dropped outgoing traffic while not filtering AFAIK
Post by: Fright on November 09, 2020, 09:45:22 am

yes, I also think that the reason for the messages appearing in the state keeping (you can check this by switching "State type" to "none" in "Default allow LAN to any rule"). but its not the source of problem. something brakes states. and most often it is asymmetric  routing (client send request through opnsense and receives reply from another host\router).
you can try to trace packets and try to find out the source of states breaking