Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
[SOLVED] Default Deny / State Volation
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Default Deny / State Volation (Read 1101 times)
eknowlton
Newbie
Posts: 2
Karma: 0
[SOLVED] Default Deny / State Volation
«
on:
August 26, 2022, 03:59:26 pm »
Having a really hard time figuring this out.
I have a setup...
Code:
[Select]
OPNSense -> TP Link Manged Switch -> Proxmox VE Server -> Ubuntu VM ( w/ nginx on port 80 )
Proxmox VE : 192.168.1.89
My Laptop: 192.168.1.104
Ubuntu VM: 192.168.1.50
Every time I try to hit the server ( Ubuntu VM ), from the same network ( LAN ) the OPNSense firewall seems to block it. It poses two questions to me...
- Why doesn't the switch handle the request and bypass OPNSense box?
- Why does OPNSense block this? Even though I have a rule to allow it. And set to bypass rules on same interface.
Any help would be greatly appreciated. Will post more settings if needed.
«
Last Edit: August 26, 2022, 05:10:05 pm by eknowlton
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6825
Karma: 573
Re: Default Deny / State Volation
«
Reply #1 on:
August 26, 2022, 04:17:18 pm »
What are the netmasks for these IP addresses on your Laptop and the Ubuntu server?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
eknowlton
Newbie
Posts: 2
Karma: 0
Re: Default Deny / State Volation
«
Reply #2 on:
August 26, 2022, 04:56:14 pm »
My laptop is 192.168.1.104/24
The ubuntu server is 192.168.1.50/32 <-- I just changed this to /24 and it works.
Hmm.. I don't know enough about this but this is why i'm building it.
Would love resources to learn about this issue I just had.
Thanks
Logged
Patrick M. Hausen
Hero Member
Posts: 6825
Karma: 573
Re: Default Deny / State Volation
«
Reply #3 on:
August 26, 2022, 05:10:49 pm »
OK, so what does the netmask do ...?
The laptop is 192.168.1.104 and the server is 192.168.1.50. The laptop wants to initiate a connection to the server.
The most important thing in IP in simple LANs like this is that it is the sending station that is responsible to decide if
* the destination address is local or
* the destination address can only be reached via some router
In most simple LANs there is only one router - the default gateway.
So how does your laptop decide where the destination is located? It does a bitwise AND operation of its own source address and the netmask, and a bitwise AND operation of the destination address and
its own netmask
.
192.168.1.104 AND 255.255.255.0 (24 consecutive "1" bits followed by 8 "0" bits) = 192.168.1.0
192.168.1.50 AND 255.255.255.0 = 192.168.1.0
Both results are identical, so the destination must be local. The laptop uses a protocol named ARP to find the "hardware address" of the server, but let's just leave it here. The key point is there is no router involved.
Now the server wants to send an answer back - it goes through the same decision process using
its own netmask
!
192.168.1.50 AND 255.255.255.255 (32 consecutive "1" bits) = 192.168.1.50
192.168.1.104 AND 255.255.255.255 = 192.168.1.104
Oops! They don't match. I need to send the packet to my router, i.e. OPNsense.
OPNsense sees a reply packet for which it has not seen the initial one in the other direction and decides "State violation! Bad server!"
That's why it's so important that the netmasks of all devices in one LAN match.
HTH,
Patrick
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
[SOLVED] Default Deny / State Volation