Always hitting the Default deny rule.

[BoogaBooga]

Hi Everyone, I'm hoping to figure out whats going on here.
I want to allow http traffic from one subnet 192.168.2.0/24 to another 192.168.10.0/24.
The OPNSense firewall is part of 192.168.10.0/24
The gateway to 192.168.2.0 is 192.168.10.5
I can ping host 192.168.10.10 from 192.168.2.15 successfully. There's a floating rule for ICMP that allows this.
When I clone/modify the ICMP floating rule to allow http, the firewall log shows the packets as dropped by the default deny rule (see attachment).

I've tried creating rules that match the info in the log, but it always gets denied. I cant understand what makes port 80 special in this case.

Any help would be appreciated.

[chemlud]

as you cloned the ICMP rule, did you allow UDP, TCP or both for port 80?

[BoogaBooga]

Yes, I tried setting the port to 80 or 'any' and the packets were still being dropped.

I wonder if its dropping due to some connection state issues.

[BoogaBooga]

Fixed it by disabling firewall rules on the same interface. I am not sure what the downside of this is, however.

[chemlud]

Yes, I tried setting the port to 80 or 'any' and the packets were still being dropped.

I wonder if its dropping due to some connection state issues.

It's not about the port, but the type of packages (UDP/TCP) allowed for port 80...

[BoogaBooga]

Sorry, yes I did also try TCP/UDP.

[lfirewall1243]

Please provide a network plan

[BoogaBooga]

Unfortunately I updated to the latest release and I can no longer ssh into opnsense.