FW rule issue

Started by iBROX, October 04, 2021, 09:06:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 04, 2021, 09:06:59 AM Last Edit: October 04, 2021, 09:10:31 AM by iBROX
Hi,

This should be simple and it probably is, but for some reason it isn't working, I'll explain best I can.

Network A : 192.168.90.0/24
Network B : 192.168.100.0/24

I am trying to connect to TCP/22 from Network A to Network B , I have the rule in place but for some reason it keeps getting picked up by the default deny rule in the logs.  I can ping a host on network B from network A no problems but for some reason it isn't parsing the rule.  I can also see the request come into the host on network B using a netstat or a tshark capture.

From the deny log for some reason it looks like it is the wrong way around (unless I'm reading it wrong)

I've attached the deny log.

I can access the host on Network B from another host on Network B no problems.
October 04, 2021, 09:56:26 AM #1
Can you try with TCP 222 for testing? The firewall itself listens on 22
October 04, 2021, 11:01:19 AM #2
I have something listening on 80 as well, same issue. However I think I might know what's causing this after taking a step back. I'll have more of a play tomorrow.
October 05, 2021, 04:22:34 AM #3
Ok I can see what is happening for some reason its not keeping state.  If I disable all FW it works, but the moment I enable the FW it doesn't.

I can see in the FW log that the SYN ACK is getting lost on the way back so for example :

Host A : 192.168.10.10 (listening on port 111)
Host B : 192.168.20.20

I can see in the FW log that the default deny is picking this up and blocking it on the way back.
October 05, 2021, 09:14:48 AM #4
Are these networks on different interfaces or on the same one?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 05, 2021, 09:38:15 AM #5 Last Edit: October 05, 2021, 09:47:58 AM by iBROX
Different interfaces, for some reason it keeps getting hit by the default deny (floating rule) if I add a new rule on that specific interface and say "block or reject" it, I can see it hitting that rule.  It's only if it has a permit it doesn't even get that far.
October 09, 2021, 12:29:14 PM #6
Managed to fix this one, it wasn't opnsense at fault but an issue further upstream in the network on the core switches, someone didn't clean up their "temporary" configuration from years ago.  A bit of debugging and back tracking I managed to work it out.
Print
Go Up Pages1
User actions