Stumped - Tracking down incoming packets being evaluated by a WAN rule

Started by lmoore, May 15, 2026, 07:25:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 15, 2026, 07:25:49 PM Last Edit: May 15, 2026, 07:44:12 PM by lmoore
I'm trying to work out how to determine what traffic is being evaluated on WAN rule.

My understanding of rules being evaluated in pf are as per the first paragraph of https://docs.opnsense.org/manual/firewall.html#states

If all connections originating from the Internet are blocked before they reach the OPNsense WAN interface, it would seem reasonable to expect that any WAN rules for incoming packets in OPNsense should not be evaluating any packets.

I did some reading about pf and noted that if scrub is used it can affect the rule evaluation. I disabled scrub in OPNsense and disabled any active Normalization rules.



In addition, I enabled logging of all packets except for Outbound NAT.



To prevent any connections originating from the Internet I set up a transparent firewall between the WAN port and the DSL modem.

On the transparent firewall, my initial rules were set to pass all in on em1 and em0. After verifying all was working, I then changed the rule on em0 to block in all. After the rule was updated there were some stateful connections. After the last stateful entry expired, all incoming packets from the Internet were blocked, thus no more packets were reaching the WAN port of OPNsense.



After the last incoming connection was seen, the rules in OPNsense were re-applied to reset the counters.

FreeBSD's version of pf includes the ability to filter Ethernet frames.

With this knowledge I ran tcpdump in promiscuous mode on OPNsense's WAN interface using the expression 'not ip'. This only revealed ARP packets between OPNsense and my ISP's equipment, and at rate of 6 per hour. Not enough to match the number of evaluations on the WAN rule in question.

This set up has been running for over 25 hours now.

Is anyone able to provide some insight why the Floating Rule with description Inbound Q-Feeds Block List is evaluating packets?

Also, there are no further evaluations in the floating rules after it, with the last inbound rule being Nothing Else Blocked Inbound from Internet.

Print
Go Up Pages1
User actions