Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
SOLVED: OPNSense blocks internal LAN to LAN traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: SOLVED: OPNSense blocks internal LAN to LAN traffic (Read 6797 times)
andbaum
Newbie
Posts: 14
Karma: 2
SOLVED: OPNSense blocks internal LAN to LAN traffic
«
on:
February 03, 2019, 06:12:16 pm »
In my firewall logs, I often see blocked packets going from an internal LAN device to another internal LAN device.
My questions:
1) Why does OPNsense see those packets? They should be switched and never meet the firewall?!?
2) I wrote a "SRC: LAN_NET DST: LAN_NET allow any" rule, but I didn't change the logging behavior.
Within the LAN everything seems to work.
Can you give me some feedback?
Yours,
Andreas
«
Last Edit: February 04, 2019, 02:43:54 pm by andbaum
»
Logged
rabievdm
Newbie
Posts: 30
Karma: 2
Re: OPNSense blocks internal LAN to LAN traffic
«
Reply #1 on:
February 04, 2019, 02:04:38 pm »
Hi,
Going to have to guess here, but...
WRT why is the firewall seeing it:
-) I'm going to assume you dont have some odd subnetting issue on your 10.0.0.10 server which is trying to route everything back to the clients.
-) From the info I see that the TCP Flags RA is set, see the following:
https://forum.opnsense.org/index.php?topic=4622.0
This suggests that either the firewall is seeing asymmetric traffic or was restarted. Seeing as both devices are internal I'm again leaning towards somehow your only seeing part of the conversation? Do you know if this might be a custom solution? Or somehow broadcasts (although it being TCP and looking at the port numbers I would be less inclined to go with that argument.
Logged
andbaum
Newbie
Posts: 14
Karma: 2
Re: OPNSense blocks internal LAN to LAN traffic
«
Reply #2 on:
February 04, 2019, 02:30:13 pm »
Thanks for your comment.
Actually I was able to get rid of the log entries as I set the state tracking for my "LAN to LAN allow any rule" to none.
But I still wonder, why my firewall (= gateway with 10.0.0.1) sees switched (Netgear ProSafe) traffic between internal LAN devices?
(The 10.0.0.10 server was only in this example, I randomly see other internal IPs being blocked to each other).
Logged
andbaum
Newbie
Posts: 14
Karma: 2
SOLVED: OPNSense blocks internal LAN to LAN traffic
«
Reply #3 on:
February 04, 2019, 02:43:42 pm »
Shame on me...
I solved it. 483 days uptime on the switch -> after a reboot of the switch, the FW doesn't see any local to local packets any more...
Yours, Andreas
Logged
rabievdm
Newbie
Posts: 30
Karma: 2
Re: SOLVED: OPNSense blocks internal LAN to LAN traffic
«
Reply #4 on:
February 04, 2019, 06:15:55 pm »
Hahahaha, glad you solved it.
Although maybe time for some fresh firmware on the switch or as much as I hate the practice ... a reboot schedule
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: SOLVED: OPNSense blocks internal LAN to LAN traffic
«
Reply #5 on:
February 05, 2019, 09:21:37 am »
Arcane fix, but not unheard of. Sounds like the MAC table was full and the switch was broadcasting on all ports throwing off the state tracking or even triggering the spoof detection.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
SOLVED: OPNSense blocks internal LAN to LAN traffic