FW drops connections even if allowed

[fastboot]

Hello,

actually I am a little lost. As I don't understand why the FW is dropping allowed connections.

For the Setup I need to use double NAT(PAT), as in front of the FW there is another router. But this should not be a big problem, as it worked before as well. Also not all connections are dropped. So basically this is why I'm a little lost.

NAT_1 on Router
Router: 192.168.175.1
Port: 20558
To: 192.168.175.2 (OPNsense FW)

NAT_2 on FW
FW_WAN_Interface: 192.168.175.2
Port: 20558
FW_DMZ_Interface: 172.19.255.1
Server_in_DMZ_Subnet: 172.19.255.50

Code Select Expand

pfctl -sn | grep 20558
rdr on igb0 inet proto tcp from any to (igb0) port = 20558 -> <172.19.255.50> port 20558 round-robin

FW Rule:

Code Select Expand

pfctl -sr | grep 20558
pass in quick on igb0 reply-to (igb0 192.168.175.1) inet proto tcp from any to <172.19.255.50> port = 20558 flags S/SA keep state label "xyz"


FW Logs:

Code Select Expand

filterlog[3546]: 14,,,xyz,igb0,match,block,in,4,0x0,,60,25470,0,DF,6,tcp,588,IP.IP.IP.IP,172.19.255.50,43880,20558,536,PA,xyz:xyz,xyz,xyz,,nop;nop;TS

Any ideas why this could have been blocked?


cheers

fastboot

[fastboot]

Bump

anyone plz?

[Fright]

Hi

14,,,xyz,igb0,match,block,in,4,0x0,,60,25470,0,DF,6,tcp,588,IP.IP.IP.IP,172.19.255.50,43880,20558,536,PA,xyz:xyz,xyz,xyz,,nop;nop;TS

PSH, ACK flags is not allowed to create state ("...flags S/SA keep state...")

if all works then its good
(https://forum.opnsense.org/index.php?topic=20219.0)

[fastboot]

Hello @Fright,

so its something wrong with the flags in the IP header why the FW drops it.

I will dig into the deep of that. Thanks for the kick in the right direction! :)


Cheers

FB