1
22.7 Legacy Series / Firewall rules not applied without resetting state table
« on: November 08, 2022, 03:49:52 pm »
Hi,
i was struggling with the configuration of a site 2 site openvpn PSK VPN on a testing environment.
The test configuration is this:
client1 -| |-client3
(192.168.101.20) | | (192.168.102.20)
| opnsense1 (Server) opnsense2 (Client) |
|--- LAN: 192.168.101.1 <----------------> LAN: 192.168.102.1 ---|
| WAN: 192.168.17.45 WAN: 192.168.17.46 |
client2 -| |-client4
(192.168.101.21) | |------- TUNNEL NETWORK -------| | (192.168.102.21)
(10.10.10.0/24)
The firewall rule on WAN interface on opnsense1 was set to allow incoming connection on openvpn server port (1194).
The firewall rules on OpenVPN interface correctly set as shown in the attached image.
The openvpn tunnel goes up ad expected.
Now, the problem.
From client 4 there are 2 terminals pinging 192.168.101.20 and 192.168.101.21.
With the rules configured (see the attachment) I can ping both client1 and client2.
If I disable the second rule (allow packets to 192.168.101.21) I expect to see the first terminal continue pinging client1 and the second terminal stopping pinging client2, but both pings still work.
I go to Firewall->Diagnostics->States->Actions->reset state table
The ping to client2 stops and the ping to client1 still works (the expected behaviour).
If I re-enable the rule the ping to client2 starts responding instantly (as expected).
If I disable (again) the rule the ping to client2 continue responding (sigh) until i go to flush states table.
Is this the expected behaviour?
If needed i can attach both firewalls configuration files.
Thanks in advance for any reply to my question.
i was struggling with the configuration of a site 2 site openvpn PSK VPN on a testing environment.
The test configuration is this:
client1 -| |-client3
(192.168.101.20) | | (192.168.102.20)
| opnsense1 (Server) opnsense2 (Client) |
|--- LAN: 192.168.101.1 <----------------> LAN: 192.168.102.1 ---|
| WAN: 192.168.17.45 WAN: 192.168.17.46 |
client2 -| |-client4
(192.168.101.21) | |------- TUNNEL NETWORK -------| | (192.168.102.21)
(10.10.10.0/24)
The firewall rule on WAN interface on opnsense1 was set to allow incoming connection on openvpn server port (1194).
The firewall rules on OpenVPN interface correctly set as shown in the attached image.
The openvpn tunnel goes up ad expected.
Now, the problem.
From client 4 there are 2 terminals pinging 192.168.101.20 and 192.168.101.21.
With the rules configured (see the attachment) I can ping both client1 and client2.
If I disable the second rule (allow packets to 192.168.101.21) I expect to see the first terminal continue pinging client1 and the second terminal stopping pinging client2, but both pings still work.
I go to Firewall->Diagnostics->States->Actions->reset state table
The ping to client2 stops and the ping to client1 still works (the expected behaviour).
If I re-enable the rule the ping to client2 starts responding instantly (as expected).
If I disable (again) the rule the ping to client2 continue responding (sigh) until i go to flush states table.
Is this the expected behaviour?
If needed i can attach both firewalls configuration files.
Thanks in advance for any reply to my question.