'Default Deny' blocking all OPT1 traffic

[cwynd]

Hello all,

I'm trying to get a relatively simple OPNsense 21.7.3_3-amd64 set up to the point where I can deploy it.
Brief summary:
* new bare metal hardware, 1 WAN 1 LAN and 1 OPT, one spare RJ45 port.
* One (1) device connected to each of LAN and OPT1 ports by a single piece of wire (no routers and before you ask several different cables tried).

The new setup is intended to clone & upgrade an existing production setup which is OPNsense 18 for a long time, and is aging, and the hardware is slow - hence the attempt to upgrade.
The new LAN is intended for secure business traffic only, and the OPT1 is for more open "retail" type traffic. There are no VLANs involved.

LAN <~> WAN was extensively tested before the attempted deploy and is working fine. However when I tried to deploy during off hours today and replace production OPNsense there is no traffic at all getting passed by OPT1, and I eventually had to roll back to the old system to avoid an extended outage.

On digging subsequently in my test set up I can ping and see packet logs back & forth just fine for LAN, but for OPT1 I can ping out from OPT1 to my test device and get replies, but pinging from the single device to OPT1 never gets a reply, and the firewall logs show

Code: [Select]

action block    dir [in]    src 192.168.129.185    dst 192.168.129.1 <this is OPT1>  - details in the attached screen shot (OPT1 is called DDWRT there for historical reasons).

Everything's been restarted several times.

I've tried putting a OPT1 'allow any from any' rule at the top of the ruleset, but it appears to still get stomped by the Floating 'default deny' and has no effect. Other than that the rules for LAN and OPT1 are substantially identical (the plan had been to spend the day adding all the detailed rules once the basics were working - until we hit this roadblock).

Sorry for long intro, but finally I have three questions:

1) Why is OPT1 behaving differently than LAN interface, with the same rules, i.e. why are the floating rules being applied differently? I'm missing where the asymmetry is coming from.

2) What is the correct way to open anything in the 'Default Deny' rule??

3) Related to #2, I've seen some talk while googling of "weirdness" related to the Floating Default Deny in recent OPNsense releases - should I be thinking about downgrading?

Thanks for any and all advice!

[cwynd]

Anyone??...

[franco]

Hi,

> 1) Why is OPT1 behaving differently than LAN interface, with the same rules, i.e. why are the floating rules being applied differently? I'm missing where the asymmetry is coming from.

The only difference between OPTx and LAN is that LAN has a preset for default pass.

> 2) What is the correct way to open anything in the 'Default Deny' rule??

I don't understand this question. The default deny rule will just catch your traffic not handled by a pass rule on OPTx. By design that is all traffic. Creating any rule in OPTx only setting "pass" and save should make it work. "Should" because there may be other things at play here, i.e. asymmetric routing or spoof detection triggering the default deny as well.

> 3) Related to #2, I've seen some talk while googling of "weirdness" related to the Floating Default Deny in recent OPNsense releases - should I be thinking about downgrading?

I have no idea what you try refer to.

Don't get me wrong, just an observation: it appears you are looking for matching symptoms but don't know what's going on and how it is supposed to work in the first place. It's a difficult situation to get out of.


Cheers,
Franco

[Patrick M. Hausen]

@cwynd you could start with actually showing us you allo any rule for OPT1.

The default deny rule is the last resort catching packets that match no other rule. So something with your OPT1 rule leads to it not matching the desired traffic.

[cwynd]

@franco @pmhausen Thanks so much for responding.
To be clear, I am definitely no firewall expert, just I seem to know slightly more than anyone else here, so... though having said that we do aim to be diligent and secure.

Your replies helped me clear up two things I missed in the heat of an attempted deploy yesterday:
* The default deny rule is a last resort rule, not a first match / quick rule. I missed that, although on reflection it should be obvious.
* My hurried attempt at a default pass any-to-any rule on the OPT1 interface (by cloning the LAN rule) failed to update the interface net it matched, so obviously it did nothing.

With the latter corrected everything appears to be working. Totally my carelessness.


Thanks again!