traffic blocked Default deny / state violation rule...SOLVED

Started by mikey4u, November 17, 2024, 05:36:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 17, 2024, 05:36:26 PM Last Edit: November 17, 2024, 07:21:34 PM by mikey4u
Can't figure out how to solve my problem. OPNsense blocking traffic from my iot devices to mqtt broker. rules dont change thing. I am at a loss??
November 17, 2024, 06:02:48 PM #1
The SYN-ACK flag indicates, that the SYN flag didn't pass your OPNsense.
This probably might be an asymmetric routing issue.

This can happen, if one of the involved devices is multi-homed.

Maybe you can provide some details about your network to clarify the issue.
November 17, 2024, 06:11:11 PM #2
Thank you so much for the reply,
i am really new to opnsence. The problem is new as everything was working fine before.
I have Home Assistant mqtt mosquito. connecting to multiple iot devices on same lan.
stopped working after a update. not sure how to proceed.
please let me know what specifically I can provide. googling your response now.
November 17, 2024, 06:42:03 PM #3
So is one of the devices in multiple network segments?

If not, this could also happen due to a wrong network mask on the HA.
November 17, 2024, 06:46:00 PM #4
It is even more simple than that: Look at the src and dst IPs in your log entry:

192.168.0.149 and 192.168.0.23   THOSE ARE (PRESUMABLY) IN THE SAME SUBNET

Please refer to this posting, first point.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
November 17, 2024, 06:55:57 PM #5 Last Edit: November 17, 2024, 07:09:09 PM by mikey4u
here are some of my setting. not sure it helps.going to reread the referred post.
so confused right now and yes same subnet
November 17, 2024, 07:06:37 PM #6 Last Edit: November 17, 2024, 07:08:30 PM by meyergru
Networking is hard. Try to understand the difference between a bridge and a router. What you seem to try is a kind of middle ground (which does not exist - unless you do a transparent bridge setup):

You presumably have two ports, one of which connects your IoT device(s) and the other your PC(s).

If you aim for a bridged setup, you can use more than one port like a switch (but you have to follow the documentation to set this up). In this case, you cannot filter the traffic between those ports, as all serve the same subnet.

If you aim to filter traffic via routing/firewalling, you need to separate subnets and use (logical or physical) ports for that. But, they need to have different subnets, which seems no to be the case here.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
November 17, 2024, 07:11:07 PM #7
Network mask 255.255.255.255 on the HA lead the device to send any packet to the default gateway, while other devices with a correct mask access it directly.
I guess, its mask should rather be 255.255.255.0.
November 17, 2024, 07:20:56 PM #8
SOLVED

THANK YOU SOOO MUCH.
You solved my problem. correct my network mask was wrong.
changing it to 255.255.255.0. fixed my problem. Understanding all this is a huge learning curve.
I cant thank you enough. Thank you for taking the time to help me. working on this for 10 hours.
Again thank you you made my day. Have a great day
Print
Go Up Pages1
User actions