default deny rule blocking the traffic

Started by multazimd, Today at 01:50:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 01:50:00 PM
Folks,

We are evaluating opnsense as a shared vpn gateway platform. We are trying to send traffic from our F5 machine to opnsense but it is getting blocked at opnsense. Below is the rule details from Firewall -> Log Files -> Live View. Please help us understand why this is happening. We have been troubleshooting for hours but of no success. Thanks.

__timestamp__   2026-02-24T12:39:58
ack   0
action    [block]
anchorname   
datalen   0
dir    [in]
dst   10.77.33.101
dsthostname   10.77.33.101
dstport   443
ecn   
id   2507
interface   hn2
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   40
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   4
seq   2427568749
src   198.18.250.10
srchostname   198.18.250.10
srcport   65005
status   2
subrulenr   
tcpflags   RA
tcpopts   
tos   0x0
ttl   255
urp   0
Today at 02:15:21 PM #1
Quote from: multazimd on Today at 01:50:00 PMWe are evaluating opnsense as a shared vpn gateway platform.
What is the used VPN Protocol ?

QuoteWe are trying to send traffic from our F5 machine to opnsense but it is getting blocked at opnsense.
I see traffic getting blocked that comes from a Public IP Address 198.x.x.x and wants to go to a Private IP Address 10.x.x.x and to be honest that makes no sense to me :
I would expect to see traffic between two Public IP Addresses and once that traffic has made the right handshake the VPN traffic should appear between those two Public IP Addresses using Private IP Addresses for the VPN traffic.

Are you sure you have got all the right Firewall and NAT Rules configured for this ?
What does the VPN Client configuration look like ?

TL;DR : You need to post more information about your setup. Feel free to use fake IP addressing if needed...
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 03:36:04 PM #2
Its an IPSec Route based VPN. Here is the logical architecture diagram of the traffic that is working for us from remote end over public to opnsense.
 
Remote End -> OPNSENSE External Interface -> OPNSENSE VPN Tunnel -> OPNSENSE Internal Interface -> F5 LB -> App Machine
 
We have requirements for our app machines to reverse call certain private URLs on remote end via VPN Tunnel established above and We are not able to get this working.
 
Below is the logical architecture we are trying to achieve:
 
App Machine -> F5 -> OPNSENSE Internal Interface -> OPNSENSE VPN Tunnel Interface -> Remote End URL
 
Unfortunately traffic is being dropped at OPNSENSE Internal interface by default deny rule which we do not have control over.
Today at 05:17:41 PM #3
Quote from: multazimd on Today at 01:50:00 PM[...]tcpflags  RA[...]

Interesting. Generally you see default denies when there is no established session, often due to asymmetric routing (of which OPNsense is fairly tolerant). The RSET suggests a closed port (in addition).

Quote from: nero355 on Today at 02:15:21 PM[...]You need to post more information about your setup.[...]

Seconded. This means interfaces, rulesets, routing, and VPN state. Perhaps some basic verification of connectivity.
Someone with a similar setup and experience might happen by, but if you'd rather not wait...
Print
Go Up Pages1
User actions