OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: telskamp on May 01, 2018, 11:39:49 am

Title: random denies by Default deny rule after upgrading
Post by: telskamp on May 01, 2018, 11:39:49 am

Hey guys,

Since i have updated my opnsense to the latest stable 18.1.6 and it seems about 1/3 of all traffic headed for the internet is blocked by the default deny rule.

I have just one simple rule on my lan interface allowing everything form my lan subnet to any destination using any protocol.
2/3 of traffic hits this rule and is natted  perfectly to the internet the other 1/3 just hist the default deny rule.

I cannot seem to figure out the difference in traffic that causes it. hosts on my lan are able to load most webpages and ping most ips but for to me unknown reasons  some destinations are blocked by the default rule.

some logs from blocked traffic
May 1 12:21:28   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,24069,0,DF,6,tcp,52,192.168.2.62,216.58.212.238,46327,443,0,FA,235370830,407495185,796,,nop;nop;TS
May 1 12:21:28   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30129,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30128,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30127,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30126,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:22   filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,743,0,DF,6,tcp,83,192.168.1.201,172.217.17.138,55932,443,31,PA,3166355573:3166355604,738522861,1428,,nop;nop;TS

Please let me know if you need further info

[EDIT]

After further investigation it seems only 1/3 of TCP traffic is blocked, udp and icmp is never blocked

Title: Re: random denies by Default deny rule after upgrading
Post by: guest15389 on May 03, 2018, 04:37:57 pm

I'm assuming you didn't change it, but what's your firewall optimization setup as?

If it's TCP, it sounds like it's blocking connections based on that.

Title: Re: random denies by Default deny rule after upgrading
Post by: franco on May 03, 2018, 09:13:47 pm

Default deny means your traffic is leaking and state tracking will prevent connectivity, either through asymmetric routing (one side has no traffic) or repeated packets on the same link.

You can diagnose this by setting your default LAN allow rule to "sloppy" or "none" in state tracking under advanced options.


Cheers,
Franco