[Solved] Default deny rule

Started by fruit, August 07, 2019, 02:33:43 PM

Previous topic - Next topic
August 07, 2019, 02:33:43 PM Last Edit: August 22, 2019, 10:21:41 AM by fruit
I'm fairly new to OPNsense, running since March but came from m0n0wall through SmallWall

I have found it reasonably straightforward including IPv6 and I have followed the upgrades within some days of release since installing.  Currently 19.7.2 on HP T610, Intel PRO/1000 quad NIC

The last few days when I have come to send large mails through Claws-Mail I am seeing Default deny rule messages between my desktop and my ISP's server. All was working well for large mails at least until mid June so I suspect changes since 19.1.10, perhaps 19.1.9?

Generally I am seeing this as the file uploads..

WAN      Aug 7 13:17:25   [2001:myDekstop:6d2]:36552   [2001:ISPmail::21]:993 tcp let out anything from firewall host itself

in the past Claws has shown a progress bar as the message is sent, now it stalls with this..

WAN       Aug 7 13:18:31   [2001ISPmail::21]:993   [2001:myDekstop:6d2]:36552    tcp   Default deny rule

Earlier today I had similar Default deny rule but from LAN and src and dest swapped

What has changed and how should I deal with it here? What is triggering the Default deny rule and what controls it?


At the moment I am very tempted to revert to 19.1 but perhaps there is a simple answer.

TIA

fruit

Hey fruit, Claws Mail user here. Mostly android client, but still use it sometimes..
I'm not seeing the problems you have, the progress bar is also still there..

As sanity check, are you using app passwords, if so did you also use this for sending?
Check all your 'account preferences', what are the SSL/TLS settings?
Did you create a rule for sending mail SMTPS(465)?
Did you check Claws Log file?
Did you check your online account for some pointers?

I know, a lot of Q., but if you walk trough them it may already be solved  ;)

Greetings, mark

Quote from: qinohe on August 07, 2019, 06:51:24 PM
Hey fruit, Claws Mail user here. Mostly android client, but still use it sometimes..
I'm not seeing the problems you have, the progress bar is also still there..
Thanks for the reply.

Are you using IPv6 as this new issue seems to relate to it specifically? For large mails the progress bar now sticks at halfway, at the point that the Default deny rule kicks in and blocks further communication.

QuoteAs sanity check, are you using app passwords, if so did you also use this for sending?
Check all your 'account preferences', what are the SSL/TLS settings?
They are all good. I can send ordinary mails OK. I can send mails with 'small' attachments OK but I cannot send one at 6MB or another currently in my Drafts at 11MB.

There are no limits imposed here, my ISP has no message size limit (<2GB). Mid June and a 19.1 series OPNsense (same config) I had no problems sending 16MB

QuoteDid you create a rule for sending mail SMTPS(465)?
This morning I have added rules to allow all traffic to/from my ISP's mail server IPv6 addresses but should I need to? The connection is initiated from my LAN so in/out should be allowed by default?

What seems to be happening is that half way through the sending of a large mail the Default deny rule blocks the traffic - even despite adding the above new rules.

QuoteDid you check Claws Log file?
Did you check your online account for some pointers?
The log looks fine until it timesout (set at 1 or 2 or even 15 mins) with
...
07:10:18] IMAP> [data - 8190 bytes]
[07:10:18] IMAP> [data - 8190 bytes]
[07:10:18] IMAP> [data - 8190 bytes]
** IMAP error on mail.aa.net.uk: stream error
** IMAP connection broken

I have involved my ISP's support (their support is good), they see no issues at their end - that's when I came across this Default deny rule suddenly appearing in OPNsense logs

I think I have it.

I found this post from 2015 https://forum.opnsense.org/index.php?topic=1777.0, very similar issue and even title but I had not looked that far back in time.

Tried the same
Quote
System: Settings: Networking -> Allow IPv6

I found this setting checked, I unchecked it, clicked save. I then rechecked it and clicked save again.

Once I did this, the router stops blocking IPv6 outbound LAN traffic. (problem fixed)
with the same result, I can send large mails again.

I'm puzzled as I have rebooted a few times trying to sort this issue assuming that would clear out stale data.


Yes, that makes sense.
Since I don't use IPv6 myself wouldn't have thought of that immediately...
Glad you solved it  8)

Greetings, mark