Rule or alias not matching

Started by clarknova, Today at 06:55:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 06:55:33 PM
OPNsense was version 25.7.11_2 when I noticed the problem, but upgrading to 26.1.3 hasn't fixed it.

I have a floating rule that allows internet access from multiple hosts on several networks (see screenshot). It looks like this in pfctl:

Code Select
pass in on aINTERNAL route-to (wan_gw) inet from <allowed_internet> to ! <rfc5735> flags S/SA keep state label "..."
For some reason, about a week ago some hosts on multiple networks lost access to internet, as if this rule stopped matching packets. One such host has the address 10.15.4.52.

As you can see in the screenshot, I copied this rule and changed only the source from the alias to the explicit network 10.15.4.52/31 and enabled logging. This enabled this specific host to access the internet and the packets are logged as expected.

As you can also see in the screenshot, I have only one block rule in the floating rules. I can confirm there are no block rules in the group or on the interface specific to that network.

And finally, you can see in the screenshot that the alias <allowed_internet> includes the 10.15.0.0/21 network.

As these rules are not quick, I also moved the new rule above the old one, and the new rule still matches, passes and logs the packet, as if the old one isn't matching.

So why did the old rule stop matching packets while the new rule matches packets that should have matched the old one? The old rule used to work, and then stopped working at some point (at least for a handful of hosts that I've tested). I can't think of an explanation except that I'm seeing some sort of bug having to do with the rule or the alias.
Today at 07:23:39 PM #1
What about the S/SA flags? If the packets do not match those, they will be dropped. Compare the working and non-working rules in /rmp/rules.debug.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 08:26:38 PM #2
Other than logging, source and label, the two rules in /tmp/rules.debug look identical to me. I'm not using Advanced Features on either of these rules, and I think not on this firewall at all.

Code Select
pass in log on aINTERNAL route-to ( wan_gw ) inet from {10.15.4.52/31} to !$rfc5735 keep state label "..." # Log Pass allowed to internet
pass in on aINTERNAL route-to ( wan_gw ) inet from $allowed_internet to !$rfc5735 keep state label "..." # Pass allowed to internet
Today at 08:37:21 PM #3
The rule you showed above said otherwise, hence why I asked.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions