OPNsense Forum

English Forums => General Discussion => Topic started by: Sintenel on June 15, 2021, 10:50:09 pm

Title: First rule passes, 30 seconds later blocks on default rule
Post by: Sintenel on June 15, 2021, 10:50:09 pm

Hello Opnsense friends,

I have been struggling with some behavior on my opnsense firewall, where i would like to learn why this behavior is happening. Maybe the way i configured the rule is not best practice or something else is happening. Hopefully you can guide me in the right way.

Setup is quite simple, where i  have 8 interfaces with 5 of them are VLANS for internal network traffic only.
In VLAN20 i have a management workstation, that should be able to access every VLAN in the network.

So i made the following rule:
https://ibb.co/c1jdmpd (https://ibb.co/c1jdmpd)
https://ibb.co/4WTGzkJ (https://ibb.co/4WTGzkJ)

This works fine for almost everything, except for when i have SSH traffic from my management workstation to a SSH instance in VLAN10. The connection opens fine, and i can work for about 30 seconds and then the connection gets blocked by the default rule.

https://ibb.co/ZGXCnsQ (https://ibb.co/ZGXCnsQ)

Anyone who can advice me on what i did wrong, or what is best practice in my case / setup? Should i split up the alias in multiple networks / rules?

Secondly, why does it pass and work normally for other traffic without going in the default block rule? There is no manual rule on the network that disallows SSH traffic.

Thank you very much.

Title: Re: First rule passes, 30 seconds later blocks on default rule
Post by: franco on June 16, 2021, 07:34:43 pm

It's called state tracking violation. The pass rule will let go of the match when it encounters out-of-sequence packets, packets it's not supposed to see or on asymmetric routing.

The next best match is obviously the default deny rule for such traffic.


Cheers,
Franco

Title: Re: First rule passes, 30 seconds later blocks on default rule
Post by: OldBotV0 on August 11, 2021, 07:08:37 pm

Franco,  I've been struggling with the same problem of default deny rule popping up
on an established SSH session.  No Vlans involved. Just two ports on the router with
192.168.{54,55}.* in use.
Can you suggest a solution?  An additional rule? A settings change?
I'm a novice w.r.t. OPNsense/routers/firewalls.

Title: Re: First rule passes, 30 seconds later blocks on default rule
Post by: franco on August 11, 2021, 08:43:54 pm

Make sure the packets are in order and do not show up on different ports at the same time.


Cheers,
Franco

Title: Re: First rule passes, 30 seconds later blocks on default rule
Post by: OldBotV0 on August 12, 2021, 03:32:46 am

Given that I'm just using a standard SSH connection, I've no idea what I might change to do that.

Title: Re: First rule passes, 30 seconds later blocks on default rule
Post by: franco on August 12, 2021, 10:58:44 am

I don't know either but something in your setup in front of VLAN20 messes with the TCP connection. Is there a switch connected?


Cheers,
Franco

Title: Re: First rule passes, 30 seconds later blocks on default rule
Post by: OldBotV0 on August 12, 2021, 10:31:15 pm

I'm not using any vlans, and the RasPi is directly connected to the OPNsense IOTnet port. The LAN port does go through two small dumb switches to get to the Linux box.

Title: Re: First rule passes, 30 seconds later blocks on default rule
Post by: franco on August 13, 2021, 01:47:07 pm

Why do you name your Interface "VLAN20" if you don't use VLANs?

Oh right you are not the OP...


Cheers,
Franco