Strange blocking of internal traffic

Started by canus, February 17, 2023, 04:17:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 17, 2023, 04:17:35 PM
Hi All,


My OPNsense instance has bizarre behavior. The same connection from a client in the plan to the server network will be allowed and blocked. I can access the services, but it will have a lot of problems, and I see lot of tcp retransmission.

Software:
Versions   OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

Hardware:
nic: Ethernet Controller E810-XXV for SFP'
driver: intel ice

Networking:
LAGG Protocol LACP and VLAN on LAGG.

The network 172.23.23.0/24 has full permissions to 172.23.0.0/24.

Firewall: Log Files: Live View:

Code Select

lan 2023-02-17T16:10:51 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
lan 2023-02-17T16:10:49 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
lan 2023-02-17T16:10:48 172.23.23.23:56317 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:48 172.23.23.23:56316 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:48 172.23.23.23:56315 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:48 172.23.23.23:56314 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:48 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
lan 2023-02-17T16:10:48 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
lan 2023-02-17T16:10:48 172.23.23.23:56313 172.23.0.2:443 tcp Default allow LAN to any rule
lan 2023-02-17T16:10:47 172.23.23.23:56295 172.23.0.2:443 tcp Default deny / state violation rule
February 17, 2023, 08:42:38 PM #1
Sure it's not a port blocking issue? Shows the only blocks for the origin address with port 56295.
OPNsense 24.7.7 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD
February 17, 2023, 09:30:32 PM #2 Last Edit: February 17, 2023, 09:45:45 PM by canus
Quote from: axsdenied on February 17, 2023, 08:42:38 PM
Sure it's not a port blocking issue? Shows the only blocks for the origin address with port 56295.


Yes, I am pretty sure I did not block that port. It comes all from the ruleset "Default deny / state violation rule" which is autogenerated and will execute last.

It's also only a short sample of the logging. You will see all the allow and blocking actions like this.
February 18, 2023, 08:05:37 AM #3
Probably out of state packets.
What are the TCP flags of denied packets? If they are FA,RA,FPA,PA and the likes they are just finishing packets that got dropped because out of state.
Print
Go Up Pages1
User actions