Show Posts
1
21.7 Legacy Series / Sometimes Traffic is not matching Rules
« on: November 24, 2021, 03:37:41 pm »
Hi everybody 
I´m using OPNsense in an environment where I experiencing an unusal behaviour.
The OPNsense has an interface in a tranfser LAN. This transfer LAN has addresses for multiple client switches (routing capabilites) and there are routes configured from /30 client networks to the OPNsense (and reverse). When a client tries to reach something in the server LAN, this works for 99% of the traffic (because at present we have a allow any/any rule in the transfer LAN for debugging purpose. But sometimes the traffic is blocked by the default deny rule. However due to the any/any rule the default deny rule should never reached (the any/any rule is obviously a immediate matching rule). And in most scenarios the traffic is forwarded.
This is a brief diagram. Without changing the config, a particular traffic is passed in most connections. Sometimes it seems to matches no:
client_n_lan/30 <--SWITCH-L3--> transfer_lan/24 <--OPNsense--> server_lan/24
Any Ideas?
Thank you
Mario
I´m using OPNsense in an environment where I experiencing an unusal behaviour.
The OPNsense has an interface in a tranfser LAN. This transfer LAN has addresses for multiple client switches (routing capabilites) and there are routes configured from /30 client networks to the OPNsense (and reverse). When a client tries to reach something in the server LAN, this works for 99% of the traffic (because at present we have a allow any/any rule in the transfer LAN for debugging purpose. But sometimes the traffic is blocked by the default deny rule. However due to the any/any rule the default deny rule should never reached (the any/any rule is obviously a immediate matching rule). And in most scenarios the traffic is forwarded.
This is a brief diagram. Without changing the config, a particular traffic is passed in most connections. Sometimes it seems to matches no:
client_n_lan/30 <--SWITCH-L3--> transfer_lan/24 <--OPNsense--> server_lan/24
Any Ideas?
Thank you
Mario