Default deny rule on ssh

[baronyoung]

I'm running default settings pretty much across the board.  I'm unable to ssh from one machine on a LAN subnet to another machine on the same subnet.  In the firewall log I see this:
__timestamp__   2023-11-21T19:43:20
ack   3804592492
action   [block]
anchorname   
datalen   0
dir   [in]
dst   192.168.1.152
dstport   49195
ecn   
id   0
interface   igc1
interface_name   lan
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   60
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   5
seq   1985055759
src   192.168.1.50
srcport   22
subrulenr   
tcpflags   SA
tcpopts   
tos   0x0
ttl   64
urp   65160

Again, I've added no rules and it appears the default is to allow all traffic so I'm confused why this is happening.  The "src" IP address above is actually the system I'm trying to ssh TO if that helps.  Any help would be greatly appreciated.

[Maurice]

Traffic between two hosts in the same subnet should not touch the firewall. Maybe the subnet mask is misconfigured on the host you're trying to connect to? This could result in the syn ack being sent to the firewall, which causes a state violation.

Cheers
Maurice

[baronyoung]

I've checked both interfaces on each of the internal hosts and the mask looks fine (/24).  They're both on DHCP (using same OPNSense for this too), and DHCP is configured correctly as well.  Is there any way to turn off this "syn ack" functionality?  I'm not familiar with that.

[Maurice]

You'll have to find out why 192.168.1.50 sends these packets to OPNsense instead of directly to 192.168.1.152. That's beyond the control of OPNsense and more likely a client / switch / WLAN / ... issue.