Recent posts

Main Menu

Welcome to OPNsense Forum.
Log in
Sign up

OPNsense Forum
► Recent posts

Pages 1 2 3 4 5 ... 10

#21

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Jeffrey - December 10, 2025, 10:53:58 PM

clearing the states seems to have done it.

I did go back and create an alias and applied it to the NAT rule. Personally I would have thought "block rules" applied to an interface would have been processed before NAT, I guess there is a reason it isn't. I need to look at the documentation to see what the processing order is.

Thanks, I knew this shouldn't have been very difficult.

Jeff

#22

General Discussion / Re: TUI for viewing and analys...

Last post by patient0 - December 10, 2025, 10:40:00 PM

Quote from: allddd on December 09, 2025, 08:32:48 PMI'm still not sure how well this will work though since the filter log directory can contain >30GB of files.

What behaviour would you expect from an application in such an situation? Many apps just freeze or crash :)

Personally I would try to evaluate if the app can handle it and if not show a pop-up. Either abort with that pop-up so that the user can select less files. Or fallback to load only what you can load and let the user know what was loaded and what not.

Although the fallback is probably not a good idea since the user had an idea what she wanted to look through and then wouldn't be sure what is included and what not. It is probably better to let the user know and abort so she knows that it will require two steps to look through all files.

#23

General Discussion / [SOLVED] Re: VLAN DHCP not wor...

Last post by ivpenna - December 10, 2025, 10:20:02 PM

It worked! Thank you very much.

But I had to take one step further: change the PVID settings on the 5 port switch (connected to the Access Point)

https://ibb.co/nN1vkRFD

This video also helped me: https://www.youtube.com/watch?v=4JNptgMWUi0&t=356s

Thank you!

#24

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Patrick M. Hausen - December 10, 2025, 10:19:53 PM

Did you clear the firewall states after the change?

#25

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Jeffrey - December 10, 2025, 10:17:22 PM

With the NAT disabled I do see much of the traffic being blocked but not all of it...

Code Select

# tcpdump "tcp[tcpflags] & (tcp-ack) = 0" and port 443 and net 170.239.160.0/24 -n -c20
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp6s0f0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:08:41.852675 IP 170.239.160.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
16:08:41.854005 IP 170.239.160.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
16:08:41.854053 IP 170.239.160.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
16:08:44.481879 IP 170.239.160.4.51266 > 172.18.19.2.https: Flags [S], seq 465277211, win 65535, options [mss 1460,sackOK,TS val 2434516034 ecr 0,nop,wscale 8], length 0
16:08:44.481880 IP 170.239.160.4.51266 > 172.18.19.2.https: Flags [S], seq 465277211, win 65535, options [mss 1460,sackOK,TS val 2434516034 ecr 0,nop,wscale 8], length 0
16:08:44.483950 IP 170.239.160.4.51266 > 172.18.19.2.https: Flags [S], seq 465277211, win 65535, options [mss 1460,sackOK,TS val 2434516034 ecr 0,nop,wscale 8], length 0
16:08:44.852749 IP 170.239.160.4.51266 > 172.18.19.2.https: Flags [S], seq 465277211, win 65535, options [mss 1460,sackOK,TS val 2434516034 ecr 0,nop,wscale 8], length 0
16:08:49.442890 IP 170.239.160.37.57579 > 172.18.19.2.https: Flags [S], seq 3965481071, win 29200, options [mss 1460,sackOK,TS val 1886380011 ecr 0,nop,wscale 5], length 0
16:08:49.443691 IP 170.239.160.37.57579 > 172.18.19.2.https: Flags [S], seq 3965481071, win 29200, options [mss 1460,sackOK,TS val 1886380011 ecr 0,nop,wscale 5], length 0

#26

Hardware and Performance / Re: DEC750 Questions

Last post by ProximusAl - December 10, 2025, 10:13:59 PM

Joy. Shipped email received, should get it tomorrow. Happy days

#27

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Jeffrey - December 10, 2025, 10:01:16 PM

I disabled the NAT rule temporarily (image attached) and the traffic continues

#28

General Discussion / Re: VLAN DHCP not working

Last post by viragomann - December 10, 2025, 09:59:26 PM

Quote from: ivpenna on December 10, 2025, 09:27:55 PM- Every device connected to ports 4 or 5 TL-SG105E would get an IP address from 192.168.101.0/24 subnet (tag 20)

So if the AP has no VLAN configuration, you have to add these port as untagged to the VLAN20.

The other settings should be fine.

#29

25.7, 25.10 Series / Re: Blocking traffic? what am ...

Last post by Patrick M. Hausen - December 10, 2025, 09:50:05 PM

NAT rules take precedence over firewall rules. So if you have a NAT > Port forwarding rule that forwards e.g. WAN address:443 to 172.18.19.2:443 and if you have the "Firewall rule association" for that NAT rule set to "pass" - that will permit the traffic.

Either change that "pass" to an explicit rule and then e.g. put all those networks supposed to be blocked in a network or group alias and use "source invert" to only allow "! bad boys". Or place the block rules into the floating category with an explicit "WAN" interface selection, because also: floating before interface.

#30

25.7, 25.10 Series / Blocking traffic? what am I do...

Last post by Jeffrey - December 10, 2025, 09:40:09 PM

This should be a no brainer, I have two rules applied to my wan interface, I have put them at the very top to block 170.239.160.0/22 & 187.108.240.0/20 (see attached image).

Traffic is not being blocked, there is a NAT rule forwarding all incoming traffic on port 443 to 172.18.19.2

If I run a tcpdump on the 172.18.19.2 system I see the following -

Code Select

# tcpdump "tcp[tcpflags] & (tcp-ack) = 0" and port 443 -n -c20
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp6s0f0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:29:40.702817 IP 187.108.247.245.25743 > 172.18.19.2.https: Flags [S], seq 3175197668, win 16384, options [mss 1452,sackOK,TS val 2883870863 ecr 0,nop,wscale 6], length 0
15:29:40.702818 IP 187.108.247.245.25743 > 172.18.19.2.https: Flags [S], seq 3175197668, win 16384, options [mss 1452,sackOK,TS val 2883870863 ecr 0,nop,wscale 6], length 0
15:29:40.703251 IP 187.108.247.245.25743 > 172.18.19.2.https: Flags [S], seq 3175197668, win 16384, options [mss 1452,sackOK,TS val 2883870863 ecr 0,nop,wscale 6], length 0
15:29:40.898930 IP 179.106.77.68.14350 > 172.18.19.2.https: Flags [S], seq 1585738757, win 65535, options [mss 1460,sackOK,TS val 1946498062 ecr 0,nop,wscale 5], length 0
15:29:40.914092 IP 187.108.249.81.30930 > 172.18.19.2.https: Flags [S], seq 1291127091, win 65535, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:40.914092 IP 187.108.249.81.30930 > 172.18.19.2.https: Flags [S], seq 1291127091, win 65535, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:40.914413 IP 187.108.249.81.30930 > 172.18.19.2.https: Flags [S], seq 1291127091, win 65535, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.074932 IP 187.108.247.245.25743 > 172.18.19.2.https: Flags [S], seq 3175197668, win 16384, options [mss 1452,sackOK,TS val 2883870863 ecr 0,nop,wscale 6], length 0
15:29:41.179480 IP 179.106.76.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.179481 IP 179.106.76.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.180150 IP 179.106.76.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.286667 IP 187.108.249.81.30930 > 172.18.19.2.https: Flags [S], seq 1291127091, win 65535, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.550143 IP 170.239.161.23.249 > 172.18.19.2.https: Flags [S], seq 2311986662, win 65535, options [mss 1412,sackOK,TS val 501677817 ecr 0,nop,wscale 7], length 0
15:29:41.550200 IP 170.239.161.23.249 > 172.18.19.2.https: Flags [S], seq 2311986662, win 65535, options [mss 1412,sackOK,TS val 501677817 ecr 0,nop,wscale 7], length 0
15:29:41.550249 IP 170.239.161.23.249 > 172.18.19.2.https: Flags [S], seq 2311986662, win 65535, options [mss 1412,sackOK,TS val 501677817 ecr 0,nop,wscale 7], length 0
15:29:41.551891 IP 179.106.76.240.18672 > 172.18.19.2.https: Flags [S], seq 1368460929, win 64240, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.893931 IP 179.106.73.138.16542 > 172.18.19.2.https: Flags [S], seq 2137856657, win 65535, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.895644 IP 179.106.73.138.16542 > 172.18.19.2.https: Flags [S], seq 2137856657, win 65535, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.895645 IP 179.106.73.138.16542 > 172.18.19.2.https: Flags [S], seq 2137856657, win 65535, options [mss 1452,nop,wscale 6,nop,nop,sackOK], length 0
15:29:41.921318 IP 170.239.161.23.249 > 172.18.19.2.https: Flags [S], seq 2311986662, win 65535, options [mss 1412,sackOK,TS val 501677817 ecr 0,nop,wscale 7], length 0
20 packets captured
22 packets received by filter
0 packets dropped by kernel

If I look at the live view, I see the traffic is listed as pass but it is on the inside interface with the label of "let out anything from the firewall host itself" which is one of the automatically generated rules. I don't think this traffic should ever have made it this far, it should be blocked at the outside/wan interface.

As I said this shouldn't be very difficult, so what did I do wrong?

Jeff

Pages 1 2 3 4 5 ... 10