Help understanding firewall log message

Started by matterbury, Today at 06:24:13 AM

Previous topic - Next topic
Hi,

I've had a quick look for info on this subject but there are a *lot* of posts that seem related but the ones I've read don't help (me).

I'm getting lots of default blocks for traffic I *think* shouldn't be possible, in particular where both the source and destination are on a different subnet than that of the interface in the log message. In some cases the source and destination are on the same subnet (VLAN) which confuses me more.

Everything seems to be working fine so I'm more curious and interested in reducing "noise" if possible, not looking for a fix as such.

Example screenshots attached.

In this case the TRUSTED interface is VLAN 10 with IP range 192.168.10.0/24, the .20. subnet is for VLAN 20, and I'm using Dnsmasq DNS on both VLANs (forwarded from Unbound).

It looks like a DNS query from one host on the .20. subnet to the Dnsmasq server on 20.1 so I'm curious why it's even seen by the firewall *and* why the log claims it's on the TRUSTED interface (how did that happen?).

My topology is roughly: opnsense on Proxmox on Zimaboard 2 with 2 NICs, one for WAN, one for LAN, 4 VLANs on the LAN (one the default), LAN port connects to a switch, switch connects to 3 access points with an SSID per VLAN, all ports on the switch in trunk mode (no adding or removing of tags).

I've omitted a lot of detail as I don't *think* much of it is relevant but LMK what other info I should provide (and apologies in advance).

Thanks in advance for any info.

If the default deny rule catches traffic, it is because nothing else allowed the traffic. For TCP, that could be out-of-state traffic that is not caught by an existing rule, which is most often the cause somebody wonders why that rule does not apply.

However, this is UDP traffic, which is stateless, so I figure you have no rule to allow that traffic. For convenience, there is a default "allow any" rule created for the first LAN and for that (V)LAN only. Thus, if you do not allow DNS traffic to your firewall on any other (V)LAN, it will be caught by the default deny rule and thus be blocked.

You may not have noticed yet, because many browsers do not even use DNS on port 53 any more (doing DoT or DoH instead), such that DNS worked despite port 52 being blocked. Maybe you have a rule allowing internet access for your second VLAN, such that 8.8.8.8 can be reached.

P.S.: You created the "noise" all by yourself, because you enabled logging for the default deny rule. The whole purpose of the default deny rule is that you can log what it does - otherwise, you would not need it. While enabling logging on that can be helpful to diagnose something going wrong, blocking packets is the whole purpose of a firewall. Normally, you don't watch it doing its job.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+