Author Topic: How to edit the notorious "Default deny rule" (Read 14719 times)

Antaris · « **on:** February 13, 2019, 10:00:23 pm »

Hi felas,

i have a problem behind several routers with accessing Dahua DVR/NVRs by serial number (Dahua's DDNS).
Edited Firewall>>LAN>>Advanced>>State>>State Type to 'none' and the default deny rule still kicks in

Any clue?

p.s. it's all about asymmetrical routing. Is there a way to allow it for sure?

CloudHoppingFlowerChild · « **Reply #1 on:** February 16, 2019, 11:00:16 pm »

First, "Firewall>>LAN>>Advanced>>State>>" doesn't seem to correspond to the menus that exist in OPNsense 19.1

Second, the default deny is the fundamental function of every firewall in existence. You must make rules to allow traffic.

Antaris · « **Reply #2 on:** February 18, 2019, 09:33:53 am »

After disable state tracking in numerous places, now Default deny rule changed from rulenr 6 to rulenr 8. Still no-go. What is rulenr 8?

chemlud · « **Reply #3 on:** February 18, 2019, 10:05:46 am »

I don't really understand what you want with the default deny rule, turn it off? That can be achieved, but your problem is in your word asymmetrical routing.

Antaris · « **Reply #4 on:** February 18, 2019, 06:08:00 pm »

Quote from: chemlud on February 18, 2019, 10:05:46 am

...your problem is in your word asymmetrical routing.

That's exactly i want to allow. We build many Dahua surveillance systems and connect them to a SmartPSS on a PC in our shop(behind the OPNsense) by a serial number with corresponding user and password. When the SmartPSS tryes to connect, it sends request to Dahua P2P servers, then Dahua P2P servers contact the corresponding NVR/DVR, which is registers in Dahua servers via UPnP on random ports behind their router, and corresponding NVR/DVR tryes to connect to SmartPSS, but can't because of "Default deny rule"
With simple router and with IPFire that works out of the box.

amichel · « **Reply #5 on:** February 18, 2019, 06:45:02 pm »

Hi,
did you try to install the upnp (os-upnp ) package? This might assist you in dynamically open ports per upnp.

amichel

Antaris · « **Reply #6 on:** February 18, 2019, 10:18:53 pm »

All of the routers that are in front of the NVR/DVRs are with enabled UPnP and i have no problem to access them from anywhere else. The problem is when i try to access them when i am behind OPNsense firewall. If i am behind plastic router or mobile network or even IPFire i have no problem. Default deny rule - rulenr 6 or rulenr 8

jafinn · « **Reply #7 on:** February 19, 2019, 01:18:59 pm »

Just add a rule allowing all traffic? Firewall rules are executed on first match so then the deny rule shouldn't matter.

Antaris · « **Reply #8 on:** April 23, 2019, 08:32:35 pm »

The problem still persists when we have a Dahua DVR behind OPNsense router and we try to access it from internet. UPnP is enabled. This time "rulenr" is 15.
Where we can find a complete list with explanations of each rule number that falls in the group "Default Deny Rule"?

chemlud · « **Reply #9 on:** April 24, 2019, 09:04:57 am »

RE rule no. see here:

https://forum.opnsense.org/index.php?topic=10763.msg49741#msg49741

Author Topic: How to edit the notorious "Default deny rule" (Read 14719 times)

Antaris

How to edit the notorious "Default deny rule"

CloudHoppingFlowerChild

Re: How to edit the notorious "Default deny rule"

Antaris

Re: How to edit the notorious "Default deny rule"

chemlud

Re: How to edit the notorious "Default deny rule"

Antaris

Re: How to edit the notorious "Default deny rule"

amichel

Re: How to edit the notorious "Default deny rule"

Antaris

Re: How to edit the notorious "Default deny rule"

jafinn

Re: How to edit the notorious "Default deny rule"

Antaris

Re: How to edit the notorious "Default deny rule"

chemlud

Re: How to edit the notorious "Default deny rule"