Spurious default deny despite allow all rule

Started by EricPerl, October 02, 2024, 09:02:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 02, 2024, 09:02:52 PM
Hi,
New to OPNsense and first impressions are pretty good.
I may not have started with the easiest configuration but I'm running OPNsense as a transparent filtering bridge, virtualized on a N100 mini-PC with 4 ports, installed between my router and my main switch.
I followed a few different guides, and apart from the FW on OPT1 (management) and the lack of gateway by default (which prevented me from updating OPNSense before I connected the bridge), I'm at the stage where I verify that the bridge does what it is supposed to do before I enable IDS/IPS.

The only IPv4 rule I have is as simple as it gets:


Yet, here and there, it doesn't seem to apply to some packets and the default deny rule fires:


I can't really figure out what's special about these requests because some very similar ones seem to go through just fine.
All the failed requests I've seen while observing the live view have the following in common:

  • HTTP or HTTPS
  • Originating from wireless clients (never seen one from a wired client)
Nothing is obviously wrong on the clients themselves, possibly because of successful retries.

My existing network is all TP-link managed via Omada, if that matters.
Apart from a few VLANs to isolate clients, the configuration is standard.
Traffic going through the bridge is limited to Internet and inter VLAN plus basic DHCP/DNS/Discovery.

The OPNsense VM was given 2 cores and 4GB of RAM (waiting for a stick to double it) and 32GB of disk space (SSD).
At this point, CPU usage is low.

I'd like to understand what's going on before I enable IDS/IPS.
BTW, kudos for the logging. It's refreshing compared to the TP-link useless logs...
I may end up controlling inter VLAN traffic at the bridge instead of the router/gateway!
October 02, 2024, 09:40:29 PM #1
Just state violation. It's normal. It can simply be a connection that has been opened too long (according to the default state times). If the clients are working fine, I wouldn't worry about these.
October 03, 2024, 07:22:09 PM #2
Quote from: cookiemonster on October 02, 2024, 09:40:29 PM
Just state violation. It's normal. It can simply be a connection that has been opened too long (according to the default state times). If the clients are working fine, I wouldn't worry about these.
Ah, so that means that the common characteristic among affected clients is that these don't go to sleep (versus being on Wi-Fi).
And it also explains why the symptom disappeared for a while after I bounced my APs.
I thought about stale connections when I inserted the bridge (which is why I bounced my APs) but I didn't consider plain longstanding/idle connections.

I guess the default state time you refer to is controlled by:
https://docs.opnsense.org/manual/firewall_settings.html#firewall-optimization

Thx for clearing this up.
October 03, 2024, 10:12:31 PM #3
That's right.
Print
Go Up Pages1
User actions