All traffic from LAN blocked after upgrade to 22.1

[|MatMan|]

I have opnsense running stable for years now without changing the config on a IPU445 from NRG Systems. 1 NIC is used for WAN, the 3 remaining NICs are bridged and form the LAN interface.
After upgrading to 22.1, all packets from any LAN client are blocked by the "Default deny rule", except for the access to the opnsense firewall via WebUI and SSH. DHCP also does not work (log entry: receive_packet failed on bridge0: device not configured). DNS does not from from LAN but it works on the firewall (interface: diagnostics).
Of course, there is a "Default allow LAN to any rule" on the LAN bridge. The tunables are set to apply firewall rules on the bridge and not on the underlying interfaces.

What can I do?  :'(

[cookiemonster]

From the release notes there are changes to how some interfaces behave, for instance:

Code Select Expand

o MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface.  This can introduces unwanted configuration due to previous side effects in the code.  Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC.
o Media settings are no longer shown for non-parent interfaces and need to be set individually to take effect.  This can introduce unwanted configuration due to previous side effects in the code.  If the parent interface was not previously assigned please assign it to reapply the required media settings.
Could that be it?

[|MatMan|]

Thanks for your reply!
I'm not using any VLANs and I'm not aware of any media setting related to a bridged interface. Any idea how this could be related?

[cookiemonster]

Sorry all I can think with "log entry: receive_packet failed on bridge0: device not configured)" is that the bridge device needs reconfiguring after the update due to those aforementioned behaviour changes on this version.
I'm sure a pro will come to help.

[dan-sun]

Facing the same issue. Did you get it sorted?

[teka011]

Same behaviour.

I can't reach my opnsense inside interface IP and I realized all lan traffic doesn't go out.

FW doesn't ping it's WAN peer either.

Opnsense running on libvirt KVM, qotom server.

I rolled back a snapshot to 21.7.8 and back to normal.

[BlendedLark]

Sounds similar to what we are seeing on a Jetway board with Intel AT211 NICs. No traffic, no nothing.  Pretty much useless build of 22.1.  Rolled back to 21.7.8.

[tessus]

Are there any debug logs available? As you can see, no devs have replied to this topic yet, because they probably don't know how due to the lack of information.

[RedVortex]

After upgrading to 22.1, all packets from any LAN client are blocked by the "Default deny rule", except for the access to the opnsense firewall via WebUI and SSH.

That means the auto-generated rules seems to still work since the anti-lockout rule is in those rules (Firewall/Rules/LAN/expand the auto-generated bullet at the top above the 1st rule)

Can you compare the anti-lockout rule there with the ones you currently have ? You may discover what the problem may be..

[ajm]

I don't know if it relates to your particular issue, but the other day I had some problems getting traffic through a bridge, on a new 22.1 installation, and it was fixed by setting the tunables:

Code Select Expand


net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=0


The effect of this is for the bridge inbound traffic to be filtered only on the L3 Interface and NOT on bridge member ports as well, which seems to be the default.

You could try this and see if it fixes your issue.

Link to thread

[RedVortex]

Or maybe the bridge isn't formed and you only have 1 interface working or something like that ? That could explain why the anti-lockout rule is working and none of the rules on your bridge ?

[Anyel]

Same problem here. I've never had any problems with Opnsense, but I came here because I didn't understand what's going on.

[dan-sun]

Has anyone found a solution yet? I just tried again with the latest update 22.1.1_3 but it's still the same problem.