Messages

In the UI navigate to Firewall > States > Actions and click on "Reset state table".

Caveat: in a live production environment this will kill all active connections, e.g. long running downloads.

i have to do this every time i disable some rules ?

OPNsense is a stateful firewall. A TCP connection but also a continuous stream of UDP or ICMP packets establish a flow. If the initiation of the flow is permitted, the flow continues to be permitted. For UDP and ICMP this is implemented via timeouts, since there is no proper tear down of the connection or other means (SYN cookie, sequence number) to properly identify a connection.

thnk.

How fix this ? i mean  how config opnsens work realtime ?

I mean if i disabled rules, imidetly block ani ping and traffic ?

Thnks

Can someone explain to me why the rules do not work in real time when you turn them off?

This was verified as follows.

You turn off the ping rule, and we look at the ping on the machines and see that the ping will continue, but in the firewall the rule for allowing ping is disabled. On this machine, turn off the network interface, turn it back on, pings are gone. Turn on the rule pings appear.

This only happens when you disable or remove the rules, for some reason they do not work in real time.

Not sure I understand why you are "turning off the interface" or what that even means. Also, if you are enabling and disabling rules, are you clearing the firewall states between testing? It's still not very clear what you are trying to achieve for each of your VLANs. If you create a list of your VLANs and guidelines for each, we can easily come up with working rules for each interface. For example, something like:

VLAN1: Internet access but no access to other VLANs
VLAN2: Internet access and access to VLAN1 but not VLAN2
VLAN3: No internet access, access to server on VLAN1 only

"turning off the interface" - in computer !

I allrady creat it, in screenshot first post. and thid rulse dont work.

I saw your screenshot but my comment still stands. Do away with the floating rules and create rules on each interface for your VLANs as I suggested and you'll have better success in managing your traffic.

I dont need creat rules on each interface, cuz its work incorrect !!!

A very strange thing is happening.

When you turn off the rules, then there is a ping, but when you turn off the interface, wait 5 seconds and then turn it back on, then the ping is passed according to the rules.

thnks

do this

https://prnt.sc/T2cP5WcnPMPC

ping  i have Vlan 231 self.

but if i disabled rulse, ping alsou have from Vlan 231 to Vlan 231 why ?

rules unfotiontly work incorrect.

P.S. in dfl 870 i dont have this problem ...

Going to need more details to help out with this but just a couple of comments so far. Your specific rules will be easier to manage if you create them for each interface rather than as floating rules. Also, there is no need to mention "ping self" because traffic that stays on the same subnet will always be allowed because it doesn't even pass through the firewall for evaluation.

Here are my general suggestions:

I see that you have an alias for RFC1918 ranges. On each VLAN that needs internet access, create a rule that allows all access the the inverse (NOT) RFC1918. That will provide internet (WAN) access but no inter-VLAN communication. Next, on any VLAN that needs to access another VLAN, create specific allow rules that go before the internet rule.

That should pretty much get you started. Remember, any traffic not explicitly allowed will be blocked by default. Therefore, try to think in terms of creating allow rules that are only as permissive as necessary rather than trying to put block rules everywhere. Hope that helps.

I allrady creat it, in screenshot first post. and thid rulse dont work.

Hi all.

Why Rulse dont work ?

https://prnt.sc/KMq6yCJQazzv

I need creat this rulse.

Vlan 231 can ping self. but cant ping Vlan 232.

Vlan 232 can ping self and Vlan 233.
Vlan 233 can ping self and Vlan 232.

Vlan 233 cant ping Vlan 231.

Now i try to creat ping Self Vlan 232. but rulse dont work.

Thnks for help

I Creat all this Vlan in Dfl 870 and it dont have HA.

I Find opnsense and try creat Dhcp Ha Server. thats why i dont understud how correct it setting for HA.

If Its Singl divase it simpl creat )

U mean i must for all Vlans creat Carp ip and Vlan's must have differet static ip In Master and Slave and last in DHCP i must put ip in  Failover peer IP Vlan's static ip from Slave ? ( like in Lan interfase )

I correct u undestud ?

Dont Uderstud ....

i have

Lan ip Master : 192.168.200.1
Lan ip Slave: 192.168.200.2

Sync ip Master: 10.50.50.1
Sync ip Slave: 10.50.50.2

Vlan231 ip Master: 192.168.231.10
Vlan231 ip Slave: 192.168.231.10


Whot i must writen in Failover peer IP on DHCP Vlan231.

I real cant understud whot u tray me sad !

yes i creat it !!

i askn only one qvestion whot i need to writen in  Failover peer IP:

if i writen the Carp ip, DHCP Dont work
if i writen the Sync ip, DHCP Dont work

For HA I have Sync ip

Vlan231   its local Lan for other divases.
Vlan200  its local Lan for other divases.
Vlan215  its local Lan for other divases.
Etc

Vlan's its nor for Syns or Backup

DCHP All Vlans need when some divases connet this Vlans get ip.


Backup ip its Carp LAN 192.168.200.3 only this

I dont have the VLANx IP of the backup.

Thnks. but steel dont understud.

i have

lan ip Master : 192.168.200.1
Lan ip Slave: 192.168.200.2
Carp Lan ip: 192.168.200.3

Sync ip Master: 10.50.50.1
Sync ip Slave: 10.50.50.2

Ha work on Sync Interface

On Master have ip to Slave.

Synchronize Peer IPP: 10.50.50.2
Synchronize Config to IP: 10.50.50.2


On Slave have ip to Master

Synchronize Peer IPP: 10.50.50.1

in Master i creat just now only one DHCP Vlan231

Ip: 192.168.231.10
DNS servers: 192.168.231.5, 192.168.231.6
GW: 192.168.231.10

Failover peer IP: Dont understud whot i must writn here, if i writin "Carp Lan ip" DHCP dont Work.

In Slave i dont creat DHCP For Vlan231 it's sync

Thnks.