Messages

Mods please delete, apparently the form got submitted twice.

Crowdsec and floating rules appear as "Default deny / state violation" in 26.1 logs. This makes it incredibly difficult to troubleshoot.

• To reproduce, enable Crowdsec plugin and defaults.
• Whitelist your local host IPs (192.168.1.0/24).
• Start docker instances that use port forwarding for a range of port connections.
• Note that the docker instances will be blocked from outgoing traffic on those ports after Crowdsec makes a decision to block.
• Note that the logs do NOT indicate this, and instead treat all Crowdsec decision floating rules as "Default deny / state violation".

Desired result: Floating rules are logged by their origin (plugin name or automatic), or if not possible, floating rules appear as "Floating Rule".
Workaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).

Related threads:

• https://forum.opnsense.org/index.php?topic=38822.0
• https://forum.opnsense.org/index.php?topic=45838.0

Network Setup:

• OPNSense 26.1.6_2 latest on a AMD SoC, 3 Intel NICs.
• NIC 0 to Cable Modem (WAN).
• NIC 1 to 10G home network, 10G dumb switches no other routing equipment (LAN).
• No VLANs or anything yet. Still haven't graduated from basic networking.
• Debian 13 on an Intel NIC large host.
• Multiple other PCs wired in.

OPNsense Setup:

• IPV6 disabled (some of the PCs and apps have a fit and refuse to work on IPV6).
• Unbound DNS installed, enabled, and set up with overrides that match aliases.
• Aliases set up for IPV4 for Debain 13 PCs.
• ACME Client installed and configured.
• CrowdSec installed and configured with whitelist for 192.168.1.106.
• ISC DECHPv4 migrated from 25.
• NAT (New) migrated from 25, old rules removed.

Debian 13 Setup:

• Default settings for the NIC.
• Default settings for Docker install (bridge mode NAT).
• Using a docker instance to start port scanning-like activity.

Crowdsec and floating rules appear as "Default deny / state violation" in 26.1 logs. This makes it incredibly difficult to troubleshoot.

• To reproduce, enable Crowdsec plugin and defaults.
• Whitelist your local host IPs (192.168.1.0/24).
• Start docker instances that use port forwarding for a range of port connections.
• Note that the docker instances will be blocked from outgoing traffic on those ports after Crowdsec makes a decision to block.
• Note that the logs do NOT indicate this, and instead treat all Crowdsec decision floating rules as "Default deny / state violation".

Desired result: Floating rules are logged by their origin (plugin name or automatic), or if not possible, floating rules appear as "Floating Rule".
Workaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).

Related threads:

• https://forum.opnsense.org/index.php?topic=38822.0
• https://forum.opnsense.org/index.php?topic=45838.0

Network Setup:

• OPNSense 26.1.6_2 latest on a AMD SoC, 3 Intel NICs.
• NIC 0 to Cable Modem (WAN).
• NIC 1 to 10G home network, 10G dumb switches no other routing equipment (LAN).
• No VLANs or anything yet. Still haven't graduated from basic networking.
• Debian 13 on an Intel NIC large host.
• Multiple other PCs wired in.

OPNsense Setup:

• IPV6 disabled (some of the PCs and apps have a fit and refuse to work on IPV6).
• Unbound DNS installed, enabled, and set up with overrides that match aliases.
• Aliases set up for IPV4 for Debain 13 PCs.
• ACME Client installed and configured.
• CrowdSec installed and configured with whitelist for 192.168.1.106.
• ISC DECHPv4 migrated from 25.
• NAT (New) migrated from 25, old rules removed.

Debian 13 Setup:

• Default settings for the NIC.
• Default settings for Docker install (bridge mode NAT).
• Using a docker instance to start port scanning-like activity.