Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
FW rule issue
« previous
next »
Print
Pages: [
1
]
Author
Topic: FW rule issue (Read 1465 times)
iBROX
Newbie
Posts: 46
Karma: 2
FW rule issue
«
on:
October 04, 2021, 09:06:59 am »
Hi,
This should be simple and it probably is, but for some reason it isn't working, I'll explain best I can.
Network A : 192.168.90.0/24
Network B : 192.168.100.0/24
I am trying to connect to TCP/22 from Network A to Network B , I have the rule in place but for some reason it keeps getting picked up by the default deny rule in the logs. I can ping a host on network B from network A no problems but for some reason it isn't parsing the rule. I can also see the request come into the host on network B using a netstat or a tshark capture.
From the deny log for some reason it looks like it is the wrong way around (unless I'm reading it wrong)
I've attached the deny log.
I can access the host on Network B from another host on Network B no problems.
«
Last Edit: October 04, 2021, 09:10:31 am by iBROX
»
Logged
bartjsmit
Hero Member
Posts: 1649
Karma: 168
Re: FW rule issue
«
Reply #1 on:
October 04, 2021, 09:56:26 am »
Can you try with TCP 222 for testing? The firewall itself listens on 22
Logged
iBROX
Newbie
Posts: 46
Karma: 2
Re: FW rule issue
«
Reply #2 on:
October 04, 2021, 11:01:19 am »
I have something listening on 80 as well, same issue. However I think I might know what’s causing this after taking a step back. I’ll have more of a play tomorrow.
Logged
iBROX
Newbie
Posts: 46
Karma: 2
Re: FW rule issue
«
Reply #3 on:
October 05, 2021, 04:22:34 am »
Ok I can see what is happening for some reason its not keeping state. If I disable all FW it works, but the moment I enable the FW it doesn't.
I can see in the FW log that the SYN ACK is getting lost on the way back so for example :
Host A : 192.168.10.10 (listening on port 111)
Host B : 192.168.20.20
I can see in the FW log that the default deny is picking this up and blocking it on the way back.
Logged
pmhausen
Hero Member
Posts: 3054
Karma: 266
Re: FW rule issue
«
Reply #4 on:
October 05, 2021, 09:14:48 am »
Are these networks on different interfaces or on the same one?
Logged
Supermicro A2SDi-4C-HLN4F mainboard and SC101F chassis
16 GB ECC memory
Crucial MX300 275 GB SATA 2.5" plus
Crucial MX300 275 GB SATA M.2 (ZFS mirror)
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
iBROX
Newbie
Posts: 46
Karma: 2
Re: FW rule issue
«
Reply #5 on:
October 05, 2021, 09:38:15 am »
Different interfaces, for some reason it keeps getting hit by the default deny (floating rule) if I add a new rule on that specific interface and say "block or reject" it, I can see it hitting that rule. It's only if it has a permit it doesn't even get that far.
«
Last Edit: October 05, 2021, 09:47:58 am by iBROX
»
Logged
iBROX
Newbie
Posts: 46
Karma: 2
Re: FW rule issue
«
Reply #6 on:
October 09, 2021, 12:29:14 pm »
Managed to fix this one, it wasn’t opnsense at fault but an issue further upstream in the network on the core switches, someone didn’t clean up their “temporary” configuration from years ago. A bit of debugging and back tracking I managed to work it out.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
FW rule issue