Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
SYN-ACKs disappear unless State Type == none, synproxy
« previous
next »
Print
Pages: [
1
]
Author
Topic: SYN-ACKs disappear unless State Type == none, synproxy (Read 2304 times)
mitchskis
Newbie
Posts: 22
Karma: 1
SYN-ACKs disappear unless State Type == none, synproxy
«
on:
January 02, 2021, 02:18:56 am »
Hello!
I've built a 'transparent' firewall to allow access to all superLAN resources while preventing unexpected traffic to the subLAN clients. This generally works as expected except when trying to allow superLAN clients to subLAN resources.
Creating a firewall rule allowing opt0 80/TCP traffic successfully allows inbound TCP SYN to the server. However, the server's return SYN-ACK simply
disappear
inside OPNsense.
As a workaround, to prevent the SYN-ACKs from disappearing, the opt0 80/TCP allow rule can have it's State Type changed to either
none
or
synproxy
. Why does the default
keep state
setting fail?
Moving the rule from the
opt0
interface to the
floating
tab and leaving the default 'keep state' setting also works as expected.
I've hoping that the experts here can help me understand why these setting work or don't work. Thanks!
A few config details:
em0
->
opt0
em1
->
opt1
bridge0
(members
opt0
,
opt1
) ->
bridge0
Firewall rule opt1 allow all.
net.link.bridge.pfil_local_phys
==
1
net.link.bridge.pfil_member
==
1
net.link.bridge.pfil_bridge
==
0
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: SYN-ACKs disappear unless State Type == none, synproxy
«
Reply #1 on:
January 02, 2021, 06:55:07 am »
If you create a bridge you better use only floating rules. Otherwise you have to allow the traffic in both interfaces
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
mitchskis
Newbie
Posts: 22
Karma: 1
Re: SYN-ACKs disappear unless State Type == none, synproxy
«
Reply #2 on:
January 30, 2021, 04:11:10 am »
Quote from: mimugmail on January 02, 2021, 06:55:07 am
Otherwise you have to allow the traffic in both interfaces
Indeed, this is why this was bit of a head scratcher for me. I thought I had sufficient rules on
opt1
to always pass traffic (and I did) but those rules seemed to mess with state on associated
opt0
traffic that I don't quite understand.
I changed the opt1 allow all rule State Type to none and returned the opt0 specific allow rules to the default state behavior. All works as expected. Thank's for bantering with me to help find more sane rules.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
SYN-ACKs disappear unless State Type == none, synproxy