OPNsense matches wrong Firewall rule to State information

_Alchemist_ · August 02, 2023, 07:54:56 PM

Hello everyone,

I was just looking through my OPNsense firewall rules and OpenVPN settings and noticed, that even though all my OpenVPN users connect to WAN2 and use WAN1 as a fallback, in "Firewall: Diagnostics: States", OPNsense shows that the states are being matched to the WAN1 rule:

https://imgur.com/a/CS07KQK

But that isn't true, as the addresses on the WAN interfaces show:

https://imgur.com/a/ZsbAIQZ

The firewall rules are named according to which interface they are on:

https://imgur.com/a/QpJuWfp
https://imgur.com/a/PSJGW0t

I even ran tcpdump and got this as a result:

WAN1

Code Select


root@opnsense:~ % tcpdump -i pppoe0 port 1194 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe0, link-type NULL (BSD loopback), capture size 262144 bytes
^C
0 packets captured
378145 packets received by filter
0 packets dropped by kernel

WAN2

Code Select


root@opnsense:~ % tcpdump -i igb1 port 1194 -n
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
 --- snip ---
 sudo tcpdump -i igb1 port 1194 -n
 19:10:03.658113 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 64
 19:10:03.658116 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 156
 19:10:03.658564 IP 95.208.###.##.1194 > 217.225.###.###.63282: UDP, length 192
 19:10:03.731677 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 64
 19:10:05.631989 IP 217.225.###.###.51180 > 95.208.###.##.1194: UDP, length 117
 19:10:05.632005 IP 217.225.###.###.51180 > 95.208.###.##.1194: UDP, length 117
 19:10:05.632008 IP 217.225.###.###.51180 > 95.208.###.##.1194: UDP, length 117
 19:10:11.542748 IP 217.225.###.###.59780 > 95.208.###.##.1194: UDP, length 40
 19:10:11.542840 IP 95.208.###.##.1194 > 217.225.###.###.59780: UDP, length 40
 19:10:11.798099 IP 95.208.###.##.1194 > 217.225.###.###.51180: UDP, length 40
 19:10:11.803840 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 156
 19:10:11.804513 IP 95.208.###.##.1194 > 217.225.###.###.63282: UDP, length 192
 19:10:11.826767 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 136
 19:10:11.827436 IP 95.208.###.##.1194 > 217.225.###.###.63282: UDP, length 136
 19:10:11.905935 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 64
 19:10:15.637783 IP 217.225.###.###.51180 > 95.208.###.##.1194: UDP, length 40
 19:10:17.181198 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 156
 19:10:17.181655 IP 95.208.###.##.1194 > 217.225.###.###.63282: UDP, length 192
 19:10:17.256555 IP 217.225.###.###.63282 > 95.208.###.##.1194: UDP, length 64
 --- snip ---
 ^C
 4481 packets captured
 4881 packets received by filter
 0 packets dropped by kernel

This is kind of annoying because it makes it really hard to analyze and troubleshoot my firewall rules in the OPNsense GUI because I can't trust what's being displayed. Everything else is working as it should though, so this doesn't affect anything else.

Some additional information:
- Both WAN interfaces have IPv4 outbound NAT rules.
- Both firewall rules use the Gateway "default".
- I am currently using OPNsense 23.1.11-amd64.

Now to my question: Is this a known problem and is there a fix?

OPNsense matches wrong Firewall rule to State information

_Alchemist_

August 02, 2023, 07:54:56 PM