OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • 21.7 Legacy Series »
  • FW rule issue
« previous next »
  • Print
Pages: [1]

Author Topic: FW rule issue  (Read 990 times)

iBROX

  • Newbie
  • *
  • Posts: 41
  • Karma: 1
    • View Profile
FW rule issue
« on: October 04, 2021, 09:06:59 am »
Hi,

This should be simple and it probably is, but for some reason it isn't working, I'll explain best I can.

Network A : 192.168.90.0/24
Network B : 192.168.100.0/24

I am trying to connect to TCP/22 from Network A to Network B , I have the rule in place but for some reason it keeps getting picked up by the default deny rule in the logs.  I can ping a host on network B from network A no problems but for some reason it isn't parsing the rule.  I can also see the request come into the host on network B using a netstat or a tshark capture.

From the deny log for some reason it looks like it is the wrong way around (unless I'm reading it wrong)

I've attached the deny log.

I can access the host on Network B from another host on Network B no problems.
« Last Edit: October 04, 2021, 09:10:31 am by iBROX »
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1411
  • Karma: 156
    • View Profile
Re: FW rule issue
« Reply #1 on: October 04, 2021, 09:56:26 am »
Can you try with TCP 222 for testing? The firewall itself listens on 22
Logged

iBROX

  • Newbie
  • *
  • Posts: 41
  • Karma: 1
    • View Profile
Re: FW rule issue
« Reply #2 on: October 04, 2021, 11:01:19 am »
I have something listening on 80 as well, same issue. However I think I might know what’s causing this after taking a step back. I’ll have more of a play tomorrow.
Logged

iBROX

  • Newbie
  • *
  • Posts: 41
  • Karma: 1
    • View Profile
Re: FW rule issue
« Reply #3 on: October 05, 2021, 04:22:34 am »
Ok I can see what is happening for some reason its not keeping state.  If I disable all FW it works, but the moment I enable the FW it doesn't.

I can see in the FW log that the SYN ACK is getting lost on the way back so for example :

Host A : 192.168.10.10 (listening on port 111)
Host B : 192.168.20.20

I can see in the FW log that the default deny is picking this up and blocking it on the way back.
Logged

pmhausen

  • Hero Member
  • *****
  • Posts: 1564
  • Karma: 136
    • View Profile
Re: FW rule issue
« Reply #4 on: October 05, 2021, 09:14:48 am »
Are these networks on different interfaces or on the same one?
Logged
Supermicro A2SDi-4C-HLN4F mainboard and SC101F chassis
16 GB ECC memory
Crucial MX300 275 GB SATA 2.5" plus
Crucial MX300 275 GB SATA M.2 (ZFS mirror)
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

iBROX

  • Newbie
  • *
  • Posts: 41
  • Karma: 1
    • View Profile
Re: FW rule issue
« Reply #5 on: October 05, 2021, 09:38:15 am »
Different interfaces, for some reason it keeps getting hit by the default deny (floating rule) if I add a new rule on that specific interface and say "block or reject" it, I can see it hitting that rule.  It's only if it has a permit it doesn't even get that far.
« Last Edit: October 05, 2021, 09:47:58 am by iBROX »
Logged

iBROX

  • Newbie
  • *
  • Posts: 41
  • Karma: 1
    • View Profile
Re: FW rule issue
« Reply #6 on: October 09, 2021, 12:29:14 pm »
Managed to fix this one, it wasn’t opnsense at fault but an issue further upstream in the network on the core switches, someone didn’t clean up their “temporary” configuration from years ago.  A bit of debugging and back tracking I managed to work it out.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • 21.7 Legacy Series »
  • FW rule issue
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2022 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2