default deny rule block many IPs

[nicholaswc]

In the live view of firewall tab. I found many IPs have been block by default deny rule. I don't know why the rule blocks the IP which in another of my company. I set my IP can access any network but still no works.

[chemlud]

Screenshots for FW-rules on LAN (and WAN)...? :-)

Traffic from LAN to WAN works ootb with opnsense. Did you change outbound NAT?

[franco]

Looks like state tracking failures.


Cheers,
Franco

[nicholaswc]

Here is the floating, Lan and Wan rules screen capture. It using default rules and just added few rules for internal traffic.

[nicholaswc]

here is the Wan rules screen capture.

[chemlud]

Here is the floating, Lan and Wan rules screen capture. It using default rules and just added few rules for internal traffic.

Hi!

The LAN rules are... eeehh... inconsistent. You allow ANY on LAN twice. Plus additional networks. What is you LAN network? How are these other networks connected to the LAN?

[nicholaswc]

on rule is for IN and another is for OUT.
1.2 is for 10.128.8.18(computer) in/out testing.
3,4 is for whole lan segment
6,7 is for other subnet in lan side. without these 2 rules, these two subnets can't ping any devices in 10.128.8.0/24.

[chemlud]

OPNsense is a stateful firewall, i.e. each package is evaluated on the FRIST interface it is presented to the FW. All incomming on WAN is blocked. All incomming via LAN is allowed (ootb, you can limit that). You don't need an outgoing allow rule on LAN. All response traffic from the WAN for traffic initated from LAN is allowed, as long as there is a state in the states table.

So don't allow any outgoing on LAN, delete rule 1, 2 and 4. Reboot.

It's still not clear to me, how this "other subnet" is connected to LAN. You can't have any other subnets simply plugged into your LAN switch...

[nicholaswc]

Thanks for all replies.
I am troubleshooting why many IPs blocked by the default deny rule, so I add some rules to try to isolate the problem, but no use. I just wounder why default deny rule block so many external IP with 443 port and some internal IP.
attached a simple diagram of the network for your reference.

[chemlud]

So the 10.128.8.0/24 is the LAN of the OPNsense (which is router A), correct? What is a "lease line"? Your WAN? Do you have a tunnel (IPsec? openVPN?) between router A and B?

The default deny rule can't block anything "internal" (aka LAN), because the sense simply does not see LAN traffic.

Your external IP blocks are most likely out-of-state traffic. Can you ping / browse from LAN resources on the internet? Your setup is not viable, apparently...

[nicholaswc]

yes, 10.128.8.0/24 is the LAN of the OPNsense.
10.128.8.0/24 and 10.10.2.0/24 connected by a IEPL line. works like vlan, these two subnet can be accessed each other.
from the OPNsense live log. I can see LAN rule (default deny rule) some times deny the traffic from 10.128.8.0/24 to 10.10.2.0/24. Most of this traff is to 443 port.
When a computer use the OPNsense as gateway, It can be ping but can't be connected by remote desktop or vnc anymore, all services (outlook. VNC, remote desktop etc.) become unstable. I used pfsense before, the situation are the same.

[nicholaswc]

Here is the sample that OPnsense blocks the vnc service.
I tring to connect 10.128.8.18 by 10.128.2.132, but it can't be connected. I can ping 10.128.8.18 from 10.128.2.132.