Author Topic: Firewall Assistance - Pass sometimes, not always (Read 2842 times)

finish06 · « **on:** March 08, 2019, 03:22:42 pm »

What would cause the below issue? Ports on the firewall are set to '*'.

Thanks!

franco · « **Reply #1 on:** March 08, 2019, 03:24:26 pm »

Asymmetric routing or faulty switching. The default deny rule will block connections that don't have a correct TCP state so it doesn't see all packets belonging to the connection.

There are a number of threads in this forum about it, look for "default deny" and "state tracking disable".

Cheers,
Franco

finish06 · « **Reply #2 on:** March 08, 2019, 04:04:58 pm »

Thank you for the prompt reply! I was struggled to search for anything meaningful. I think it is asymmetrical routing. While I am not sure what that is exactly, changing the state type to none fixed the issue. I found the information on this forum:
https://forum.opnsense.org/index.php?topic=9136.msg40997#msg40997

franco · « **Reply #3 on:** March 08, 2019, 04:41:01 pm »

It would mean packets (usually one direction, sometimes more fuzzy than this) find another way to the OPNsense than the assigned network port where they are supposed to appear and "confuse" the state tracking, causing it to invalidate the connection because the TCP is not well-formed.

From an end user perspective this doesn't matter, from a network design and security standpoint that can pose problems. Sometimes it can be a switch that is flooding due to full MAC tables.

Cheers,
Franco

Author Topic: Firewall Assistance - Pass sometimes, not always (Read 2842 times)

finish06

Firewall Assistance - Pass sometimes, not always

franco

Re: Firewall Assistance - Pass sometimes, not always

finish06

Re: Firewall Assistance - Pass sometimes, not always

franco

Re: Firewall Assistance - Pass sometimes, not always