Default deny / state violation rule hits openvpn

Started by lebernd, December 12, 2022, 10:31:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 12, 2022, 10:31:29 AM Last Edit: December 12, 2022, 06:53:23 PM by lebernd
Hi @all,

I'm running into a default deny issue on my openvpn servers I can not debug.

I have changed the hardware yesterday and imported the last config (changed the interface names by find and replace from igb to the detected igc). Everything is working as expected, ipsec, wireguard, haproxy etc. Only my openvpn servers on wan are no longer reachable for their endpoints.
The firewall rule on wan is running, expecting to pass traffic. But it won't hit the connection as before. Why?

I am really not sure if this hardware change has even something to do with it. But the timely connection is there.

Best, thank you for helping out,
Bernd
IPU451, 16GB RAM, 120GB SSD:
OPNsense 22.7.11_1-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

IPU441, 8GB RAM, 120GB SSD:
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023
December 12, 2022, 07:17:57 PM #1
As it is no longer a problem, I cannot reproduce it...

The "solution" was in some changes to the firewall rule:
- the alias for the internet host was saved as URL(IPs). Changing this to Host(s) - did the trick I think.
- But I also changed the Destination in the rule from WAN address to any.

Anyway the openVPN comes up and now I cannot revert this. In a strange way. Even a reimport of the config-file I used after the installer isn't reproducing the issue.

So long, thanks for reading,
Bernd

IPU451, 16GB RAM, 120GB SSD:
OPNsense 22.7.11_1-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

IPU441, 8GB RAM, 120GB SSD:
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023
Print
Go Up Pages1
User actions