Traffic between opt interfaces denied | Default deny / state violation rule

Started by lw-admin, January 06, 2023, 12:11:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 06, 2023, 12:11:03 PM Last Edit: January 06, 2023, 12:25:59 PM by lw-admin
I have a setup with the below interfaces:

WAN
TC_PSS - 172.16.200.1
PP1 - 172.16.201.1
PP2 - 172.16.202.1
PP3 - 172.16.203.1

Rules are set to allow traffic between the PP interfaces to TC_PSS, but to block traffic between PP interfaces. The issue I have is any traffic between the PP and TC_PSS interfaces is ignoring my allow rules and is hitting the floating Default deny rule first. What am I doing wrong?

Additionally, pings from devices on PP1 to TC_PSS do not hit any deny rules, but never get replies. Am I getting asymmetric routing?

I have attached the rules I have configured. Any help would be greatly appreciated.
January 06, 2023, 12:16:35 PM #1
Floating rules should never be used unless absolutely needed.
The rules you have as floating are not necessary at all.
Put them on the interfaces where they belong.
January 06, 2023, 12:19:15 PM #2
Thanks, I will do that. However the floating rules appear to be working. The issue is it isn't hitting my allow rules, why is it hitting default deny before my allows?
January 06, 2023, 12:27:41 PM #3
You should look up how rules are applied.
It's kinda important.
January 06, 2023, 12:32:48 PM #4
What would you say about my implementation is wrong specifically? I know floating rules are processed first, but the default deny is set to last match. All my rules are set to first match. Should that not override the default deny? Have I misunderstood something here? I'm relatively new to opnsense.
January 06, 2023, 12:59:27 PM #5
Rules are applied to the inbound side of the interface connected to that network. For some reason they added the outbound direction to interface rules but it's completely useless and unneeded except for the floating rules.
As an example, think of your house, if you don't want someone to enter your home, you block them at the front door. You don't let them in the front door and then say you can't go out the back door. That would be applying a rule in the outbound direction of an interface. It's not how pf works.
So rules are applied to the inbound direction, they are not allowed into the interface they are connected to so they can't go out any other interface. It is a bit different than most, if not all, other firewalls but that's how pf works.

Knowing that, your TC_PSS can never be a source on any other interface. It's not directly connected to your PP1 interface so it cannot be a source on PP1. Only the directly connected network can be a source on that interface.
Make sense?
January 06, 2023, 01:23:02 PM #6
Thank you, that makes a lot of sense.

I have disabled the floating rules and added an any/any on the PP1 and TC_PSS interfaces to confirm routing. I am no longer hitting the default deny but I am still not getting a response. I have also tried PP1-PP2 interfaces and it fails to get a reply. Could this be a routing issue? If so is there some best practise to get traffic flow between interfaces?
January 06, 2023, 03:33:23 PM #7
Not sure how you're doing this so I can't say much but would Windows Firewall be involved?
That's usually the culprit between subnets.
If not that, show more pics of your config and I'm sure someone will see something that'll help.
Print
Go Up Pages1
User actions