PF blocking local LAN

[lilsense]

I am unable to connect to pihole on a local network but I am able to from another LAN.

local machine's IP:  10.10.10.234
pihole IP: 10.10.10.10

I am able to connect to the pihole from IP: 10.13.10.119

when troubleshooting and looking at live logs I see:

Code Select Expand


__timestamp__ 2024-02-24T12:50:44-05:00
ack 3692531448
action [block]
anchorname
datalen 0
dir [in]
dst 10.10.10.234
dstport 60517
ecn
id 0
interface vlan03
interface_name INTLOCAL
ipflags DF
ipversion 4
label Default deny / state violation rule
length 60
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 21
seq 87346160
src 10.10.10.10
srcport 80
subrulenr
tcpflags SA
tcpopts
tos 0x0
ttl 64
urp 65160


When I click on the rid to show me the rule, it just pops up and vanishes.

[newsense]

Wi-Fi with AP isolation turned on ? That would prevent prevent clients in the same LAN to talk to anything but the GW

[lilsense]

the vlan 10.10.10 is wired. the 10.13.10 is wireless but the AP isolation is not on the opnsense.

[newsense]

There's no FW involved between hosts in the same lan/vlan. You could tak out the FW and the traffic would continue to flow between the hosts in said (v)lan.

If one of your machines sends the traffic to the default GW that means said machine sees itself in a different network segment, so not everything might be in 10.10.10.0/24

[lilsense]

All the VLAN devices are on a Trunk. Also, I have no issues connecting to any other device on the 10.10.10.0/24 subnet which is quite odd.

[Saarbremer]

If we're talking about a /24 LAN then check your PI's netmask config. No router should see that kind of traffic being blocked as it should never reach the router. Unless your communication partner sends everything to the router instead of the network segment itself.

If we're not talking about a /24 or a value smaller, please provide that info.

[lilsense]

It's set properly and I can access that IP from various subnets.

[Saarbremer]

You obviously can't access you own subnet from your PI. Terms like "properly" don't seem to fit here, don't you agree?

[lilsense]

Can Pihole can reach all the VLAN's and devices... all the devices are able to use the Pihole to get on the net with the exception of one.

[lilsense]

Does the rid field work for anyone?


I am unable to pull any information using this field.

[newsense]

You're way off track chasing rids, you've been told twice already.

Fastest way to solve this is to create a DHCP reservation for the pi, and then set the pi interface to DHCP

[lilsense]

It's already there... but Thanks.

I'll roll it back again to when everything was working 23.1.11.

[newsense]

For this particular issue any firewall from any manufacturer should be 100% as "defective"

Either that or there's something else happening there you're not saying...

[Saarbremer]

Can can reach all the VLAN's and devices...

I care for your problem as much as you do for my answers. So, good luck

[lilsense]

It's very easy to brush off saying "blah, blah..." Yet not answering as to why the firewall is logging the block of an intra-vlan communication. It's even worst when you have to rely on the GUI more than the command line...

Edit: Identified rules blocking:

block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"

not sure what groups they are under or if this is the last rule as the IP's do not fall into any cat????

edit2: more info

block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
  [ Evaluations: 8232      Packets: 83        Bytes: 6006        States: 0     ]
  [ Inserted: uid 0 pid 76503 State Creations: 0     ]
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
  [ Evaluations: 8329      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 76503 State Creations: 0     ]