Outbound Traffic Fails Without Allow-In Rule

Started by lostnoob, January 29, 2025, 06:50:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 29, 2025, 06:50:58 AM
Hello everyone,

I'm fairly new to OPNsense, so please bear with me if I'm missing something obvious. I'm experiencing an issue with Stateful Packet Inspection (SPI) that I don't quite understand. As far as I know, SPI should automatically allow return traffic for outbound connections, but in my case, it doesn't seem to be working.

My Setup:
ISP Router: 192.168.1.1
OPNsense WAN: 192.168.1.10 (placed in ISP router's DMZ)
OPNsense handles all internal routing and firewall rules.
The Issue:
Outbound connections work only if I have both an "Allow Any Any" Outbound Rule and an "Allow Any Any" Inbound Rule on the interface.
If I remove the inbound rule, all traffic stops, even though SPI should allow return traffic for established connections.
This happens on all interfaces, not just a specific one.
However, OPNsense itself can reach the internet (e.g., downloading plugins works).
What I've Tried:
Checked Firewall Optimization Settings: Set to "Normal."
Firewall Logs: Traffic gets blocked when the inbound rule is removed.
NAT Settings: Outbound NAT is set to Automatic.
Gateway Configuration: WAN gateway is correctly assigned.
Tested on Different Interfaces: Same issue everywhere.
I expected SPI to handle return traffic without requiring an explicit inbound rule. Since I'm still new to OPNsense, I might be overlooking something basic. Any help or guidance would be greatly appreciated!

Thanks in advance!
January 29, 2025, 10:20:19 AM #1
In the settings for your WAN interface, uncheck "Block private networks" and "Block bogon networks"?
January 30, 2025, 05:21:06 AM #2 Last Edit: January 30, 2025, 05:25:57 AM by lostnoob
I forgot to mention that I already turned it off, but it still doesn't work :(

and thanks for your quick reply 😀
January 30, 2025, 06:37:18 AM #3
What is your Opnsense LAN IP range? Your ISP router is using Opnsense's default on the WAN side.
Deciso DEC697
+crowdsec +wireguard
January 30, 2025, 06:57:20 AM #4 Last Edit: January 30, 2025, 07:00:25 AM by lostnoob
My opnsense lan is 10.10.10.1
January 30, 2025, 07:25:36 AM #5
When I see inbound/outbound semantics being used, I wonder if you are looking at it from the perspective of your network.
I.e. outbound from LAN to WAN, inbound from WAN to LAN.

Directions in FW rules are from the perspective of the FW itself.
So LAN -> WAN is in on LAN then out on WAN (both allowed by default on the default WAN and LAN interfaces).
WAN -> LAN is in on WAN then out on LAN.

Maybe you can screenshot the rules to make sure...
Print
Go Up Pages1
User actions