[SOLVED] Continually locked out from WAN interface

[sens_ible]

I am continuously facing the problem that I am locked out from the WAN interface. After some analysis I found that only TCP:S passes through the firewall, all other TCP packets with other flags set will be blocked, have a look at the screenshot.

I tried some of the TCP flag settings, "any flag", ticking some flags, but without result. No matter what I do, only TCP:S passes.

I also clicked the green arrow in the log to add an "easy rule" to let the blocked TCP packets pass. Rules were added, however, they do not seem to have any effect.

I am using OPNsense-17.7-OpenSSL-nano-i386.img, fresh install.

What can I do for further analysis?

[franco]

Do you have a case of asymmetric routing? The only way to prevent state tracking from killing partial connections is to disable state tracking in the pass rule, but you may want to lock that rule with an IP or something... "pass" all by itself is not enough.


Cheers,
Franco

[sens_ible]

Well, as far as I can say I do not think so. My IP address is 192.168.99.102, the address of OPNsense is 192.168.99.100. Hence, we are in the same subnet and according to the routing table, an entry exists for the local network on link #1 which is the LAN interface.

Furthermore, I have two firewall rules on the WAN interface, one for incoming traffic and one for outgoing traffic. For the outgoing traffic source I have also tried "This firewall" instead of WAN address, however, it did not make a difference.

In my despair I have allowed almost everything on the WAN interface, however, the TCP packets are still being blocked. I have also disabled blocking of private and bogon addresses.

Anyway, the TCP-S packets pass, only the following TCP-A, TCP-R .... packets are blocked. So I do not think, it is a routing problem.

Also, I can connect to OPNsense when I disable the firewall rules via the serial console. This is another hint that the problem has to do with the rules and not the routing.

The only way to prevent state tracking from killing partial connections is to disable state tracking in the pass rule, but you may want to lock that rule with an IP or something... "pass" all by itself is not enough.

Can you tell me more about this option? However I think it is difficult to lock the rule with an IP, because when I am traveling and use my laptop, I will not have a static address to lock on. I have to rely on a reliable remote access to my appliances.

[sens_ible]

Well, finally I found the reason.

In my testing environment, the WAN interface receives its configuration via DHCP. This includes the automatic setting of a gateway for the WAN interface and the gateway can not be disabled.

Hence, OPNsense will automatically use the "reply-to" option per default for the WAN interface. The bad thing is, you can not see this on the GUI, not in the routing table and not in the rule table.

However, you can solve the problem by disabling the "reply-to" option manually in the firewall rule(s) for your interface, in my case the WAN interface. Et voila. It works.