OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: iBROX on October 04, 2021, 09:06:59 am

Title: FW rule issue
Post by: iBROX on October 04, 2021, 09:06:59 am
Hi,

This should be simple and it probably is, but for some reason it isn't working, I'll explain best I can.

Network A : 192.168.90.0/24
Network B : 192.168.100.0/24

I am trying to connect to TCP/22 from Network A to Network B , I have the rule in place but for some reason it keeps getting picked up by the default deny rule in the logs.  I can ping a host on network B from network A no problems but for some reason it isn't parsing the rule.  I can also see the request come into the host on network B using a netstat or a tshark capture.

From the deny log for some reason it looks like it is the wrong way around (unless I'm reading it wrong)

I've attached the deny log.

I can access the host on Network B from another host on Network B no problems.
Title: Re: FW rule issue
Post by: bartjsmit on October 04, 2021, 09:56:26 am
Can you try with TCP 222 for testing? The firewall itself listens on 22
Title: Re: FW rule issue
Post by: iBROX on October 04, 2021, 11:01:19 am
I have something listening on 80 as well, same issue. However I think I might know what’s causing this after taking a step back. I’ll have more of a play tomorrow.
Title: Re: FW rule issue
Post by: iBROX on October 05, 2021, 04:22:34 am
Ok I can see what is happening for some reason its not keeping state.  If I disable all FW it works, but the moment I enable the FW it doesn't.

I can see in the FW log that the SYN ACK is getting lost on the way back so for example :

Host A : 192.168.10.10 (listening on port 111)
Host B : 192.168.20.20

I can see in the FW log that the default deny is picking this up and blocking it on the way back.
Title: Re: FW rule issue
Post by: Patrick M. Hausen on October 05, 2021, 09:14:48 am
Are these networks on different interfaces or on the same one?
Title: Re: FW rule issue
Post by: iBROX on October 05, 2021, 09:38:15 am
Different interfaces, for some reason it keeps getting hit by the default deny (floating rule) if I add a new rule on that specific interface and say "block or reject" it, I can see it hitting that rule.  It's only if it has a permit it doesn't even get that far.
Title: Re: FW rule issue
Post by: iBROX on October 09, 2021, 12:29:14 pm
Managed to fix this one, it wasn’t opnsense at fault but an issue further upstream in the network on the core switches, someone didn’t clean up their “temporary” configuration from years ago.  A bit of debugging and back tracking I managed to work it out.