Default deny / state violation rule takes precedence over a custom rule

[u89]

Hello. I have several vlans. I want to allow vlan70 to access a host in a vlan99 over ssh. Sounds easy so I created a rule (img1).

I tried to ssh to the host from vlan70 to vlan99 and it worked, but ssh connection freezes after a few seconds. Opnsense live view log attached as img2.

So at first my rule allows to connect, but after several seconds auto-generated rule "Default deny / state violation rule" (img3) blocks the traffic. Why is it so?

[Seimus]

After you done your rules, did you wipe your State Table?

Regards,
S.

[u89]

Yes I did. Unfortunately it didn't help.

[Seimus]

You did put the Rule under the VLAN interface in the Firewall>Rules> VLAN correct?

To me your rule looks alright.

The default deny/state violation has two functions I believe.

• Deny any explicitly not permitted traffic
• Deny session in case of a violation

In FW world if you have a session/state open on the FW, while the same Source IP/port towards same Destination IP/ports wants to open a new connection this will be Dropped by the FW aka a violation. You can not open a new session if old one is present.

Maybe the issue you are having is related to the Server or Client side. It could be an example where you successfully establish the connection but then for some reason the Client/Server hangsup/closes it without notifying the other side with the correct TCP Flag.


You can check, if during the issue you see still the session present and what is his state (Established, etc.).

Also from the Client and server side, can you check ARP? Do you learn the ARP bindings dynamical? Does have the ARP correct binding?

Regards,
S.

[cookiemonster]

You did put the Rule under the VLAN interface in the Firewall>Rules> VLAN correct?

To me your rule looks alright.

The default deny/state violation has two functions I believe.

• Deny any explicitly not permitted traffic
• Deny session in case of a violation

In FW world if you have a session/state open on the FW, while the same Source IP/port towards same Destination IP/ports wants to open a new connection this will be Dropped by the FW aka a violation. You can not open a new session if old one is present.

I don't think this is quite correct. Multiple sessions from the same origin and destination over the same port are normally allowed. The firewall will see each as a different connection and keep track of them, no problem.
The placement of the rule is a good shout.
Assuming the rule is in the right interface, then leaves with ssh. Maybe it needs to tweak a keep alive on the server config. The expansion of the blocked might show the tcp flags that caused the block.

[u89]

Yes, the Rule is under the VLAN interface in the Firewall>Rules> VLAN.

What I noticed in live view is that only tcp S flags (SYNC) are allowed while A (ACK) are being blocked.

On server side (it's Proxmox server with 3 vlans configured 70, 71, 99 via one NIC bridge) when I ssh from client in VLAN70 to server IP address in VLAN70 everything is ok, but the issue occurs when reaching VLAN99 proxmox address from VLAN70. Here are 2 sessions, the first one works fine, the second is frozen:

Code Select Expand


# netstat -pant | grep ssh
tcp        0      0 192.168.70.10:22        192.168.70.103:34538    ESTABLISHED 2257291/sshd: root@
tcp        0   3604 192.168.99.10:22        192.168.70.103:54188    ESTABLISHED 2254739/sshd: root@


There's an arp table for my proxmox attached below. As I'm not network expert, please let me know what outputs and commands could be valuable for diagnosing the problem.

[cookiemonster]

Sorry, I'm not clear what the network plan/topology is, so can't comment.
For instance where are the VLANs defined. On the hypervisor, OPN, and where are the firewalls involved. Proxmox has its own firewall. Then what firewall rules are set and where.
Adding now wlans in proxmox to the thread turns everything on its head :)

[franco]

Either disable state tracking for that rule or find out (and fix) why your traffic is not symmetric.


Cheers,
Franco

[Seimus]

Yes, the Rule is under the VLAN interface in the Firewall>Rules> VLAN.

What I noticed in live view is that only tcp S flags (SYNC) are allowed while A (ACK) are being blocked.

Additional to what was already advised above. How is your rule configured more in depth? Did you set in your rule as well what TCP Flags are permitted?

When you check the OPN documentation https://docs.opnsense.org/manual/firewall.html#advanced
By any change didnt you specify as well something from the Advance attributes like "TCP Flags"?

TCP flags
If specific TCP flags need to be set or unset, you can specify those here.

In regards of state tracking:

State Type
Influence the state tracking mechanism used, the following options are available. When in doubt, it's usually best to preserve the default keep state

    Keep state ‣ is used for stateful connection tracking.

    Sloppy state ‣ works like keep state, but it does not check sequence numbers. Use it when the firewall does not see all packets.

    Synproxy state ‣ proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.

    None ‣ Do not use state mechanisms to keep track.


Regards,
S.