Legit traffic blocking on one device, BUG? [CLOSED]

Started by ginky, August 06, 2023, 12:57:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 06, 2023, 12:57:01 PM Last Edit: August 08, 2023, 10:41:39 AM by ginky
Hi,

I have strange problem

My network setup:

OPNsense router with virtual LAN Bridge -> Mikrotik WiFi point - > Device1 and Device 2 connected over WiFi

Local subnets are different on both routers

Problem:
When I open a youtube on Device1 all working fine. When I open youtube on Device2 i've got long loading and many blocking events on opnsense with label Default "deny / state violation rule"

LAN_BRIDGE      2023-08-06T13:17:56   10.0.0.4:41400   52.28.78.142:443   tcp   Default deny / state violation rule

10.0.0.4 is local ip address of Mikrotik WiFi point

All rules are default, no any separate rules for Device1 and Device2

How it can be possible?
August 06, 2023, 03:21:38 PM #1
How do you have your bridge configured?  Did you set the tuneables for it?

I'm not familiar with Mikrotik APs but how do you have it configured?  Is it performing any services or routing?
August 06, 2023, 08:04:47 PM #2 Last Edit: August 06, 2023, 08:19:39 PM by ginky
QuoteHow do you have your bridge configured?  Did you set the tuneables for it?

Configured like in that manual https://docs.opnsense.org/manual/how-tos/lan_bridge.html
net.link.bridge.pfil_member set to 0
net.link.bridge.pfil_bridge set to 1

I have another clients in that bridge and doesn't have any blocking events

Problem only with traffic from one client on mikrotik

Mikrotik have default configuration too. DHCP on WAN, LAN BRIDGE and that's all

Two clients connected over WiFi 5ghz to mikrotik. My iPhone and TV
On iPhone youtube open fast,  no blocking events in opnsense (i'm sure that traffic goes through WiFi)
On TV youtube open slowly, many blocking events in opnsense (i have two default pass rules on lan bridge, but it work partially for TV traffic )

I can't realize what's difference bettween packets from TV and iPhone because for opnsense router exists only mikrotik
August 06, 2023, 08:53:57 PM #3
Made a pic
August 07, 2023, 03:48:34 PM #4
Are the two allow rules the only ones on LAN_BRIDGE?  Do you have any floating tules?

What happens if you enable logging for the allow rules?  Also, are you currently seeing any other entries on LAN_BRIDGE other than the blocks?

It looks like you're double NAT with the Mikrotik.  Is there a reason it's configured like that instead of just as an AP?

Have you tried getting a packet capture of the two scenarios?  One with the iphone working and one with the tv having trouble.
August 08, 2023, 10:41:25 AM #5 Last Edit: August 08, 2023, 10:56:03 AM by ginky
QuoteHave you tried getting a packet capture of the two scenarios?  One with the iphone working and one with the tv having trouble.

It's helped! Thank you.

All blocked packets have the same pattern: tcp flags PA (PUSH, ACK). It's "out of state" packets
Normally first packet must be SYN to open new state.

TV after turn off just pause/hibernate sockets. So when I turn on TV after some time sockets wake up as usual. But opnsense was erased old states. It's see new PUSH,ACK packets and block them as out of state.

The same topic here: https://forum.opnsense.org/index.php?topic=20219.0
Print
Go Up Pages1
User actions