1
20.7 Legacy Series / Re: Firewall default deny rule blocking LAN traffic?
« on: June 03, 2021, 11:20:21 am »I finally found a solution to this here: https://pfsense-docs.readthedocs.io/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html
While this is not really an asymmetric routing issue in my case (just that the OPNSense VM is connected to the same bridge as other VM/containers that causes it to see packets that do not need to go through OPNSense (i.e packets with source and destination on the same subnet)), it does cause the same symptoms and thus this solution works.
The manual fix they indicate consist in adding 2 rules: one in the interface of the network where the issue occur and one in floating. In my case just 1 rule was enough in the interface of the network I had the issue.
Make sure to select TCP protocol so you can check "any" for the TCP flags in the advanced and set the state to sloppy.
Finally it does not matter if you make it a pass or block rule if you are in the same situation as me where the OPNSense host (KVM guest in my case) shares the same linux bridge as other VMs or containers as those other VM/containers will still receive the packets as long as they are on the same subnet.
Interestingly, while this fixes the issue, I do not see any log for this added rule even if I checked "Log packets that are handled by this rule". Not a big deal for me as my goal was to stop being flooded by it. However it is weird that while obviously the rule does something, it does not get logged somehow.
Thanks for posting the solution, it worked for me, too. I also don't see anything in the log. Of note, the relevant pfsense link has now changed to: https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html