Messages

1

24.7 Production Series / Re: Regular LAN Traffic hits Default deny / state violation rule since 24.7

« on: September 09, 2024, 04:15:05 pm »

I think I'm running into an issue which has the same root cause as reported here.
....

Found the issue - I'm checking the source IP with GeoIPWhitelisting. Seems, that this does not work anymore as expected, need to analyse it in detail.
But using "any" for source (instead GeoIPWhitelisting) in the forwarding rule heals everything (means custom forwarding + rule matches and therefore the traffic does not run into default deny anymore).

2

24.7 Production Series / Re: Regular LAN Traffic hits Default deny / state violation rule since 24.7

« on: September 09, 2024, 03:45:15 pm »

I think I'm running into an issue which has the same root cause as reported here.
After updating to 24.7.x I cannot connect my web server from the public internet anymore.
Before the update everything was running fine and I did not touch the configuration.
OPNsense has a port forwarding and allow rules etc. which were working fine to forward public internet traffic towards my internal web server.

But after the update each attempt to connect the web server is rejected via the floating "default deny / state violation" rule. Even incoming traffic with tcpflags S is catched by the "default deny" rule.

Are there any changes with OPNsense v24.7 why this happens, or recommendations to overcome the problem?
I'm currently running 24.7.3_1. Any hints are welcome.

3

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 11, 2023, 10:01:10 am »

Could you please add a before and after of your conf.xml for reference? Im not sure I completely follow the changes you had to make to get it working.

I'll be happy to assist, but let's first check - as suggested by franco - if you are facing the same problem. Otherwise we may make it worse than better

What does the following command spit out on your side?
# opnsense-log | grep refusing

4

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 10, 2023, 05:02:21 pm »

good findings and perfect support! Many thanks!

5

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 10, 2023, 02:34:04 pm »

I think it's now up to me to spend you a beer, or two

After removing the second <gateway_item/> part and reboot OPNsense does now set the default route again etc.
Seems to run fine now!
I will monitor it a bit, but seems you find the root cause!
I think I wouldn't have found this without your help! Many thanks!

6

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 10, 2023, 01:55:02 pm »

exceeding max size of attachment, therefore attached with 2nd post

7

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 10, 2023, 01:54:16 pm »

hmm, the relevant part of the conf.xml looks like this:

Code: [Select]

<gateways>
    <gateway_item>
      <interface>opt8</interface>
      <gateway>192.168.30.1</gateway>
      <name>WAN_GW</name>
      <priority>255</priority>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <interval>1</interval>
      <descr>Interface WAN Gateway</descr>
      <monitor>8.8.8.8</monitor>
      <defaultgw>1</defaultgw>
    </gateway_item>
    <gateway_item>
      <descr>Interface WAN Gateway</descr>
      <defaultgw>1</defaultgw>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>192.168.30.1</gateway>
      <monitor_disable>1</monitor_disable>
      <name>WAN_GW</name>
      <interval>1</interval>
      <weight>1</weight>
    </gateway_item>
  </gateways>
But the GUI shows only one, attachment OPNSence-system-gateways.png

Additionally I attached the interface configuration itself, where I configured the IPv4 Upstream Gateway, attachment OPNSence-interface-wan30.png

All this looked the same before the update and worked fine.

Any hint what to change regarding the interface/gateway configuration is much appreciated, if this is the reason why it doesn't work anymore or is somehow wrong....

8

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 10, 2023, 12:49:56 pm »

many thanks for looking into this issue - much appreciated!

I attached 2 logs:
- opnsense-badcase.log: this is the full log after the update and reboot (23.1.7_3)

for comparison reasons (there you can see, that setting the default route is successful):
- opnsense-goodcase.log: this is the full log with the former version of OPNsense (23.1.6)

9

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 10, 2023, 11:48:37 am »

seems to be a good idea

Here's the output:

Code: [Select]

root@OPNsense:~ # opnsense-log | grep refusing
<11>1 2023-05-10T11:43:30+02:00 OPNsense.dimo.nil opnsense 285 - [meta sequenceId="8"] /usr/local/etc/rc.bootup: ROUTING: refusing to set inet gateway on addressless wan
<11>1 2023-05-10T11:43:35+02:00 OPNsense.dimo.nil opnsense 17719 - [meta sequenceId="32"] /usr/local/etc/rc.routing_configure: ROUTING: refusing to set inet gateway on addressless wan


10

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 10, 2023, 09:35:30 am »

I configured a WAN interface (using vlan) with static IPv4 (192.168.30.254).
Additionally I configured the IPv4 upstream Gateway on this interface, which is the single Gateway I have.
(inner leg of a second router to the public internet)

Looks like this:
Scenario:
(Internet) ---- (public IP - Router - private IP Network A) ----- (private IP Network A - OPNSense - private IP Network B) ----- (private Network)

OPNSense: (private IP Network A) is the 192.168.30.254
Router: (private IP Network A) is the gateway IP 192.168.30.1

11

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 09, 2023, 09:57:50 pm »

Hi Franco,

I did the update from 23.1.6 to 23.1.7_3 again.
Immediately after the update everything still runs fine.
Then I did a reboot and the issue was back, that no traffic to the public internet was working.

Your hint to look at the routing table was good.
The comparison of before and after the update+reboot shows, that the first entry of the routing table was missing!
The one with "destination" default etc - refer to attached screenshot (red rectangle).
Interestingly the status of the gateway was marked as "online".

After adding the default route as a static route as interims solution, everything is working fine again.
But I think the default route should be created automatically as in former times?

12

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 09, 2023, 11:32:19 am »

Hi Franco,

1: No default gateway switching in use

2: I will try to do another update attempt and report on this

Thanks for taking care!

13

23.1 Legacy Series / Re: 23.1.7_1 broke my Firewall

« on: May 06, 2023, 10:03:07 pm »

Similar problems here. Did the update from 23.1.6 to 23.1.7_3 with no configuration change (details in attached screenshot). Before the update everything was working fine.

Scenario:
(Internet) ---- (public IP - Router - private IP Network A) ----- (private IP Network A - OPNSense - private IP Network B) ----- (private Network)

After the update I couldn't access from my private Network any public machine of the Internet.
No ping, no http etc.
ping to private IP Network A of Router worked, but ping to public IPs did not work.

Restored backup => Everything fine again.

Seems something got broken with the update...