[CLOSED]be aware newbie. Default deny /state violation rule

[julcol]

My contex.

I have opnsense running on top of proxmox. In a container sharing the same bridge there is a web server I want to access the webserver from a host in the same subnet, physically separated from the proxmox server.

a)  host --> webserver  --> no connection ( yes ping)
b) webserver --> host  --> connects (yes pings).

Uhmm... ok because the rules applies to the interface, my host is seen as coming from outside the interface, regardless being in the same subnet.

I create a pass rule for this host, IN, LAN interface, LAN net, destination webserver/https.

However, I still get hit by the Default deny /state violation rule which  sits  in the default floating rules......

Is it correct my interpretation ? What would be the correct way to allow certain hosts to allow to connect to the webserver then ?  I am reluctant to change anything on the floating rules.

Thanks for your help

JC

[julcol]

Adding insult to injury,

can I assume that the anti lock out rules are void in this scenario, which is by default  in opnsense default installation. Give rule precedence, rule number 2 will match before 10/11 which are the anti-lockout rules isn't it ?

The attached is a print screen of my rules (floating)

I guess I am missing something important.

JC

[viragomann]

What would be the correct way to allow certain hosts to allow to connect to the webserver then ?

Configuring your network properly.

Basically this traffic

In a container sharing the same bridge there is a web server I want to access the webserver from a host in the same subnet

should not pass a router, as long as the involved devices are not connected to different network interfaces. If it does though, there might be something wrong.
Most probably you have set a network mask wrongly on one of the involved machines.

[julcol]

That was pretty unhelpful. Had a bad day ? No need to post.

Your assumptions are incorrect.

[dseven]

if "host" and "webserver" are on the same subnet, OPNsense shouldn't be in the path between them. Your layout is not completely clear (to me, at least). As suggested, if they are on the same subnet, but attempting to route through OPNsense (is it the default gateway?), it's likely that you have a misconfigured netmask...

[julcol]

Ok, Thanks for your response. I will try to clarify.

• Webserver-LXC(IP -> DHCP opnsense)
• opnsense-VM
• Client/browser as a separate host connected to a common switch. Same subnet (IP -> DHCP from opnsense).

Webserver/opnsense hosted in same proxmox host. Share Linux Bridge vmbr0. vmbr0 bridges enp1s0 ethernet port  --> to physical bridge --> to client/browser.

This is what firewall reports when I open the browser and try to connect to the webserver

Code Select Expand

LAN 2025-03-05T16:03:09 192.168.33.17:80 192.168.33.190:34198 tcp Default deny / state violation rule
LAN 2025-03-05T16:03:09 192.168.33.17:80 192.168.33.190:34186 tcp Default deny / state violation rule

Which  is pretty confusion because 192.168.33.17 is the webserver and 192.168.33.189 is the browser but the firewall shows as it was the other way around or so I understand.

[julcol]

I am going to close the discussion.

The webserver I was originally trying to log into is the console of a pi-hole installation I manually installed into a barebone debian LXC container. Something weird must be in there with networking and pihole that is beyond my understanding.

I installed a  nginx LXC container and it works at first try. So no firewall blocking. Interestingly it does not show up any traffic in the firewall log which is pretty weird. I log everything to see and learn.

I do not think continuing with the discussion adds any value.

Thanks to those who looked into it.

JC

[jp0469]

Interestingly it does not show up any traffic in the firewall log which is pretty weird. I log everything to see and learn.

Traffic on the same subnet is layer 2 (switched), which is why you won't see anything in the logs due to it never reaching the firewall.

[julcol]

Thus, why do I see pihole traffic....hosted in the same proxmox instance, being blocked at the firewall http/https? while nginx is showing up, only partially, https traffic is not showing up.

228 is nginx
17 is pihole.

Where is the magic that I am missing.

[viragomann]

This is what firewall reports when I open the browser and try to connect to the webserver

Code Select Expand

Code Select Expand

LAN        2025-03-05T16:03:09    192.168.33.17:80    192.168.33.190:34198    tcp    Default deny / state violation rule   
LAN        2025-03-05T16:03:09    192.168.33.17:80    192.168.33.190:34186    tcp    Default deny / state violation rule
Which  is pretty confusion because 192.168.33.17 is the webserver and 192.168.33.189 is the browser but the firewall shows as it was the other way around or so I understand.

This shows, that the webserver is sending response packets to OPNsense, while the request packet didn't pass it. This is called asymmetric routing and is mostly the reason for state violation issues.

This indicates, that the webserver doesn't know, that the client is within the same subnet. So it's sending responses to the upstream gateway.

So again and for the fourth time, you should check the network mask of the container. If it gets the network settings from the DHCP, possible the network mask on OPNsense differs from the client.

[julcol]

@viragomann

Thanks for you patience. Eventually you were right.

My PiHole container network IP address in Proxmox was set up as xxx.xxx.xxx.xxx/32 and should have been xxx.xxx.xxx.xxx/24.

Again, thanks for helping me reach to the right conclusions.

Regards.

JC