Author Topic: traffic blocked Default deny / state violation rule...SOLVED (Read 193 times)

mikey4u · « **on:** November 17, 2024, 05:36:26 pm »

Can't figure out how to solve my problem. OPNsense blocking traffic from my iot devices to mqtt broker. rules dont change thing. I am at a loss??

viragomann · « **Reply #1 on:** November 17, 2024, 06:02:48 pm »

The SYN-ACK flag indicates, that the SYN flag didn't pass your OPNsense.
This probably might be an asymmetric routing issue.

This can happen, if one of the involved devices is multi-homed.

Maybe you can provide some details about your network to clarify the issue.

mikey4u · « **Reply #2 on:** November 17, 2024, 06:11:11 pm »

Thank you so much for the reply,
i am really new to opnsence. The problem is new as everything was working fine before.
I have Home Assistant mqtt mosquito. connecting to multiple iot devices on same lan.
stopped working after a update. not sure how to proceed.
please let me know what specifically I can provide. googling your response now.

viragomann · « **Reply #3 on:** November 17, 2024, 06:42:03 pm »

So is one of the devices in multiple network segments?

If not, this could also happen due to a wrong network mask on the HA.

meyergru · « **Reply #4 on:** November 17, 2024, 06:46:00 pm »

It is even more simple than that: Look at the src and dst IPs in your log entry:

192.168.0.149 and 192.168.0.23 THOSE ARE (PRESUMABLY) IN THE SAME SUBNET

Please refer to this posting, first point.

mikey4u · « **Reply #5 on:** November 17, 2024, 06:55:57 pm »

here are some of my setting. not sure it helps.going to reread the referred post.
so confused right now and yes same subnet

meyergru · « **Reply #6 on:** November 17, 2024, 07:06:37 pm »

Networking is hard. Try to understand the difference between a bridge and a router. What you seem to try is a kind of middle ground (which does not exist - unless you do a transparent bridge setup):

You presumably have two ports, one of which connects your IoT device(s) and the other your PC(s).

If you aim for a bridged setup, you can use more than one port like a switch (but you have to follow the documentation to set this up). In this case, you cannot filter the traffic between those ports, as all serve the same subnet.

If you aim to filter traffic via routing/firewalling, you need to separate subnets and use (logical or physical) ports for that. But, they need to have different subnets, which seems no to be the case here.

viragomann · « **Reply #7 on:** November 17, 2024, 07:11:07 pm »

Network mask 255.255.255.255 on the HA lead the device to send any packet to the default gateway, while other devices with a correct mask access it directly.
I guess, its mask should rather be 255.255.255.0.

mikey4u · « **Reply #8 on:** November 17, 2024, 07:20:56 pm »

SOLVED

THANK YOU SOOO MUCH.
You solved my problem. correct my network mask was wrong.
changing it to 255.255.255.0. fixed my problem. Understanding all this is a huge learning curve.
I cant thank you enough. Thank you for taking the time to help me. working on this for 10 hours.
Again thank you you made my day. Have a great day

Author Topic: traffic blocked Default deny / state violation rule...SOLVED (Read 193 times)

mikey4u

traffic blocked Default deny / state violation rule...SOLVED

viragomann

Re: traffic blocked Default deny / state violation rule

mikey4u

Re: traffic blocked Default deny / state violation rule

viragomann

Re: traffic blocked Default deny / state violation rule

meyergru

Re: traffic blocked Default deny / state violation rule

mikey4u

Re: traffic blocked Default deny / state violation rule

meyergru

Re: traffic blocked Default deny / state violation rule

viragomann

Re: traffic blocked Default deny / state violation rule

mikey4u

Re: traffic blocked Default deny / state violation rule