Firewall is blocking outbound traffic despite of having destination any

[shaam]

Hello community,
Over the last few days, I have been noticing a weird issue with the Opnsense firewall. It's blocking outbound traffic intermittently. I don't know it started but I have noticed two days ago when try to install package in a VM. It works for few minutes then block the traffic then work again. It's going on and off. I have a rule for the LAN interface as a destination, but it's blocking the traffic. I thought it might be a bug, so I updated the Opnsense instance, but I am still having the issue. Do I need to add any additional rules or update the existing ones? I am attaching screenshots for the rule and traffic screen. Can someone please help? Thanks,

[patient0]

Can you provide more information about your system?

Are you OPNsense latest, 25.1.11? Is your 'LAN net' 192.168.50.0/24? How is WAN configured and what is the host system the VM is running on? How have you configured the host interfaces the VM is running on? What other firewall rules do you have: floating, NAT, port forwarding, limiters?

On LAN you have the default allow-all from 'LAN net' rules for IPv4 and IPv6 which does allow all traffic from the 'LAN net' to everywhere.

[shaam]

Yes, it's the latest 25.1.11. The LAN subnet is 192.168.1.0/24, and 192.168.50.0/24 is a VLAN. LAN and VLAN have the same rule, which allows all traffic to everywhere. The VM is running on RHEL9. It has DNS, NRPE, SSH services allowed, and 5666/tcp, 1514/tcp, 1515/tcp, 55000/tcp, 123/udp, 4460/tcp ports allowed from the firewall. VM interface configured with static IP 192.168.50.202, and Gateway 192.168.50.1, and IPv6 is disabled. I don't have any other firewall rules; it has its default rules. Attaching screenshot for WAN and NAT. Thanks

[patient0]

The LAN subnet is 192.168.1.0/24, and 192.168.50.0/24 is a VLAN

If your 'LAN net' is 192.168.1.0/24 then traffic originating from VLAN 192.168.50.0/24 is not allowed with the rule you have. And that's what you are seeing in the screenshot from the first post: source 192.168.50.202 (but on LAN), direction in. Since you only allow 'LAN net' as source, the traffic is blocked.

I'd say you have an issue with the VLAN configuration.

VM interface configured with static IP 192.168.50.202, and Gateway 192.168.50.1

192.168.50.0/24 is on WAN?

[meyergru]

You followed all advice here?

BTW: If you absolutely need the VLAN, because you do not have enough physical adapters, I would still configure two vtnet adapters for LAN and WAN, i.e. I would seperate the VLAN out at the Proxmox level, That is because of point 3 here.

[shaam]

The LAN subnet is 192.168.1.0/24, and 192.168.50.0/24 is a VLAN

If your 'LAN net' is 192.168.1.0/24 then traffic originating from VLAN 192.168.50.0/24 is not allowed with the rule you have. And that's what you are seeing in the screenshot from the first post: source 192.168.50.202 (but on LAN), direction in. Since you only allow 'LAN net' as source, the traffic is blocked.

I'd say you have an issue with the VLAN configuration.

VM interface configured with static IP 192.168.50.202, and Gateway 192.168.50.1

192.168.50.0/24 is on WAN?

In order to make it work, do I need to include VLAN50 in the source for LAN?
No 192.168.50.0/24 is not on WAN. It's a VLAN. I am attaching the screenshots for VLAN. What configuration needs to change? Thanks,

[patient0]

n order to make it work, do I need to include VLAN50 in the source for LAN?

No, that is not necessary. Traffic from VLAN50 should never appear as the source on the LAN interface. VLAN configuration on the switches is not how it should be. Can you provide a diagram of your network, the switch VLAN configuration and how the client is connected (as a VM? Host OS, interfaces/bridges?)


Have you read the link @meyergru posted? It is strongly recommended not to have tagged and untagged traffic on the same interface.

[shaam]

n order to make it work, do I need to include VLAN50 in the source for LAN?

No, that is not necessary. Traffic from VLAN50 should never appear as the source on the LAN interface. VLAN configuration on the switches is not how it should be. Can you provide a diagram of your network, the switch VLAN configuration and how the client is connected (as a VM? Host OS, interfaces/bridges?)


Have you read the link @meyergru posted? It is strongly recommended not to have tagged and untagged traffic on the same interface.

Yes, I read his recommendation. VLAN port is 6, which is untagged. The client VM (RHEL9) is connected on port six from the switch. Here is a screenshot of the switch configuration. Thanks

[patient0]

Yes, I read his recommendation.

One of the points in it is that you don't run tagged and untagged traffic on the same port, but on port 1 that is what you are doing. If you have enough ports on your OPNsense router then it's best to move all the VLANs onto its own port and leave only the untagged traffic on port 1.

VLAN port is 6, which is untagged. The client VM (RHEL9) is connected on port six from the switch. Here is a screenshot of the switch configuration.

That part of the switch configuration does look good. What have you set in '802.1Q PVID Settings', specifically have you set the PVID to 50 on port 6?