Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Firewall Assistance - Pass sometimes, not always
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall Assistance - Pass sometimes, not always (Read 2846 times)
finish06
Newbie
Posts: 6
Karma: 0
Firewall Assistance - Pass sometimes, not always
«
on:
March 08, 2019, 03:22:42 pm »
What would cause the below issue? Ports on the firewall are set to '*'.
Thanks!
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Firewall Assistance - Pass sometimes, not always
«
Reply #1 on:
March 08, 2019, 03:24:26 pm »
Asymmetric routing or faulty switching. The default deny rule will block connections that don't have a correct TCP state so it doesn't see all packets belonging to the connection.
There are a number of threads in this forum about it, look for "default deny" and "state tracking disable".
Cheers,
Franco
Logged
finish06
Newbie
Posts: 6
Karma: 0
Re: Firewall Assistance - Pass sometimes, not always
«
Reply #2 on:
March 08, 2019, 04:04:58 pm »
Thank you for the prompt reply! I was struggled to search for anything meaningful. I think it is asymmetrical routing. While I am not sure what that is exactly, changing the state type to none fixed the issue. I found the information on this forum:
https://forum.opnsense.org/index.php?topic=9136.msg40997#msg40997
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Firewall Assistance - Pass sometimes, not always
«
Reply #3 on:
March 08, 2019, 04:41:01 pm »
It would mean packets (usually one direction, sometimes more fuzzy than this) find another way to the OPNsense than the assigned network port where they are supposed to appear and "confuse" the state tracking, causing it to invalidate the connection because the TCP is not well-formed.
From an end user perspective this doesn't matter, from a network design and security standpoint that can pose problems. Sometimes it can be a switch that is flooding due to full MAC tables.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Firewall Assistance - Pass sometimes, not always