Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Rule: Allow all from Interface net, Always blocked by "Default deny /state..."
« previous
next »
Print
Pages: [
1
]
Author
Topic: Rule: Allow all from Interface net, Always blocked by "Default deny /state..." (Read 1066 times)
Fred Krokant
Newbie
Posts: 2
Karma: 0
Rule: Allow all from Interface net, Always blocked by "Default deny /state..."
«
on:
July 29, 2023, 09:26:27 pm »
Hi,
I've got a real brain cracker here.
I've got a client on the "Services" VLAN (30) with IP 10.0.30.5 which tries to send traffic to it's gateway on the Opensense Router /FW. The gateway interface of Services with the same name has IP 10.0.30.1
I've set a rule on that interface (Services):
PASS / IN direction / TCP/IP IPv4+IPv6 / any protocol / source: Services net / destination and port : Any
So that should suffice. It is the only rule set.
But traffic , weather to the gateway or even outside (to 8.8.8.
get blocked by the firewall on the rule "Default deny / state violation rule", which is a, "atomatically generated rule" that is set as last match.
So it seems thaht for any reason, my custom set "PASS" rule does not get matched, and I do not see why.
Even more, I have another VLAN called "Trusted" (other tag other subnet and gateway ofcourse), that has the same firewall settings, so same sort of rule, and traffic from the VLAN / subnet client does not get blocked.
I've attached necessary screenshots. Please does anyone have a clue? Does any one see "the elepahnt in the room"?
Thanks in advance,
Fred
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Rule: Allow all from Interface net, Always blocked by "Default deny /state..."
«
Reply #1 on:
July 29, 2023, 09:47:26 pm »
real or virtual? misconfig on vlan switch?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Fred Krokant
Newbie
Posts: 2
Karma: 0
Re: Rule: Allow all from Interface net, Always blocked by "Default deny /state..."
«
Reply #2 on:
July 29, 2023, 10:09:35 pm »
Hi,
The opensense is on a Protectli Appliance. It's connected to a trunk port on the switch.
The switch is a juniper EX devices and is set up properly, I have many VLAN defined. They all work as intended.
Traffic on VLAN 30 is arriving trough the trunk at the Firewall but gets blocked.
If I would have had issue on my switch or on the clients, I would not even see anything on the live view of the log files of the opensense FW.
And just to be sure I tried also to extend VLAN 30 to my Wireless network (UNifi controller and accesspoints), which is ok, but also there I see traffic denied on my firewall, coming from my Smartphone (10.0.30.200) connected on the Services SSID and Services VLAN 30 network...
So it must be something on the Firewall.
VLAN 10 (TRusted) is working fine , no blockage, traffic arrives and gets also out via the NAT to the internet... Same settings on interface Trusted as on interface Services on Opensense (well except for the IP of course -> 10.0.10.0/24 vs 10.0.30.0/24)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Rule: Allow all from Interface net, Always blocked by "Default deny /state..."