1 Device blocked by default deny rule on Lan But not on WireGuard [Solved]

[xXHelperXx]

Hi People, maybe yo can help me on this.

Not sure when it started, but the NAS on the LAN is blocked from any device that trying to access it.
And while disconnected from the the LAN, and Connect to WireGuard VPN I'm able to access this NAS without issues.

Tried to search in the logs and found that the request was blocked by "Default Deny" Rule.
- I test it with WIFI/Cable on different port on the appliance.
- Tried to create brand new Pass all LAN Firewall rule
- There is Firewall rule on the bridge with Pass Rule for that LAN to Any for IPv4+6
- Tried to change the Firewall Optimization from Normal to Conservative
- Change the Firewall NAT Outbound: to Hybrid and Automatic 
- Disabled the crowdsec (No related but no impact)

Things that worth to mention:
- There is Firewall Normalization that set for the WireGuard connection.(Explain why the VPN can access?!)
- I recently moved from ISC DHCP to Dnsmasqm the issue was before the move.
- This spesifc NAS have 2 ports connect to LAN (NO LAGG, One with Static IP from the Opnsense + DHCP on the NIC and the second Static IP from the NAS OS.

I'm not really sure what is the problem.
Any kind of help will be pleased.
Thanks!

Screenshot from the Firewall log: https://imgur.com/a/wqLk3DO

[viragomann]

Normally traffic from a LAN device to another LAN device doesn't pass OPNsense router, but goes directly to the destination device.

Since it looks like, that the traffic is sent to the router in your case, you should check the network settings of the source device. Maybe it has a wrong network mask.

[xXHelperXx]

The subnet is same as before I'm using /24 and it work before.
Not really sure why it still block and why especially on LAN and not on VPN.

[passeri]

Not really sure why it still block and why especially on LAN and not on VPN.

Different rules, most likely. LAN and Wireguard are not the same subnets.

If you publish your rules here, I will look at them to see whether I can help. Using imgur is not publishing here.

[viragomann]

The subnet is same as before I'm using /24 and it work before.

The block log you've posted, shows the source IP is 192.168.11.38 and destination is 192.168.11.66. If it is a /24 subnet the devices would be within the same subnet. And as mentioned, traffic between these shouldn't go to the router, except if they are connected to different interfaces of a bridge. If it does anyway the network settings of the source is wrong.

[xXHelperXx]

Not really sure why it still block and why especially on LAN and not on VPN.

Different rules, most likely. LAN and Wireguard are not the same subnets.

If you publish your rules here, I will look at them to see whether I can help. Using imgur is not publishing here.

Thanks man!!
See here:
WG rules + the auto generated: https://imgur.com/a/E5v6qZ4
BridgeLAN + Auto generated: https://imgur.com/a/WGDmaz7

The block log you've posted, shows the source IP is 192.168.11.38 and destination is 192.168.11.66. If it is a /24 subnet the devices would be within the same subnet. And as mentioned, traffic between these shouldn't go to the router, except if they are connected to different interfaces of a bridge. If it does anyway the network settings of the source is wrong.

Correct the source is ...11.38 or any other machine.. and the destination is ...11.66 but before it was work and somethings changed. not sure what?!
The Opnsense appliance have 6 ports in total. 4 of them I created under 1 bridge call BridgeLAN.
They must go throughout the Opnsense/Router.

[passeri]

@xXHelperXx, I think you misunderstood the meaning of "here". The problem with using an image service is it is more likely to disappear, leaving this thread largely incomprehensible to anyone who might have a similar problem in the future. Is there any particular reason you are unable to post images here, within your replies, rather than as links?

Regarding your further comment, are you filtering on the interfaces or on the bridge? https://docs.opnsense.org/manual/how-tos/lan_bridge.html (see Step Six, System Settings Tunables)

[viragomann]

The Opnsense appliance have 6 ports in total. 4 of them I created under 1 bridge call BridgeLAN.

So if the packet from one to the other machine has to pass OPNsense, you have to add proper firewall rules to permit it.

[Patrick M. Hausen]

The Opnsense appliance have 6 ports in total. 4 of them I created under 1 bridge call BridgeLAN.

So if the packet from one to the other machine has to pass OPNsense, you have to add proper firewall rules to permit it.

Not quite - if you want to create a LAN bridge you have to change the two documented tunables to turn the bridged ports into a "switch".

[viragomann]

Yes, but by default OPNsense filters on the member interfaces of a bridge. I don't assume, the TO had changed the tunables yet. And I don't know, if he even want to do this.

[xXHelperXx]

@xXHelperXx, I think you misunderstood the meaning of "here". The problem with using an image service is it is more likely to disappear, leaving this thread largely incomprehensible to anyone who might have a similar problem in the future. Is there any particular reason you are unable to post images here, within your replies, rather than as links?

Regarding your further comment, are you filtering on the interfaces or on the bridge? https://docs.opnsense.org/manual/how-tos/lan_bridge.html (see Step Six, System Settings Tunables)

You are totally right. I'm sorry.
Next time I will stick to uploading the photos to the post.

and regarding the issue, You nailed it!!! Many many thanks!!!
Now I realized that 2 months ago I restore the default values for the all the tunable. mis that 2 tunable settings for bridge.
I made the change and Walla all back to work.


Thank you so much everyone!!