Problem with local LAN address getting blocked through "Default deny/state viol.

Started by mrzaz, July 15, 2026, 09:53:58 PM

Previous topic - Next topic
Hello,
I have an issue that I could not find the culprit to that is driving me crazy.

In the live log I get a "Default deny / state violation rule" from a my local NAS that
is on my LAN network and should not block this port.
64 = NAS
20 = OpnSense LAN interface

LAN  In  2026-07-15T21:40:22  TCP  192.168.x.64:56672  192.168.x.20:80  block  Default deny / state violation rule

Other IPs in my LAN does not have any issues accessing port 80 on .20

I am using the latest OPNsense 26.1.11_10-amd64 and is using the new upgraded style rules.

I even have a "Default allow LAN to any rule" enabled but also tried a separate LAN_HOME to LAN_HOME alias firewall for both in and out.
And have also made a specific to .64 but still same issue.

Is there anyone that could point me in the right direction why this only happens from one device and not all ?

I do have CrowdSec and Q-Feed plus a few others but have tested to switch off Intrusion Detection (suricata)

I have talked a bit with ChatGPT and it gave me some hints.
As the entry in the live log contains only A (ACK) it could be:
An ACK packet means:
It is not the start of a TCP connection (which would be a SYN packet).
It is trying to continue an existing TCP session.
OPNsense/PF is saying: "I don't have a state for this connection," so it logs Default deny / state violation rule and drops the packet.
1. The state expired.  This is very common with browsers that reuse keep-alive connections.
2. NAS kept the connection alive - Many NAS devices (especially Synology and QNAP) maintain persistent HTTP/HTTPS sessions.

This is most likely the culprit.

In other words, PF expected a state entry that no longer exists.

//Dan Lundqvist
Stockholm, Sweden
Best regards
Dan Lundqvist (mrzaz)

"It's better to burn up, than fade away..." (Highlander)

Could you post the details of a blocked packet?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on July 15, 2026, 09:58:38 PMCould you post the details of a blocked packet?

Sure. But see my updated comments as well in main thread.

__timestamp__   2026-07-15T22:01:22
ack   3617553731
action   [block]
anchorname   
datalen   0
dir   [in]
dst   192.168.x.20
dsthostname   
dstport   80
ecn   
id   13194
interface   em1
ipflags   none
ipversion   4
label   Default deny / state violation rule
length   40
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   5
seq   
src   192.168.x.64
srchostname   
srcport   47713
status   2
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   44
urp   1024

//Danne
Best regards
Dan Lundqvist (mrzaz)

"It's better to burn up, than fade away..." (Highlander)

These packets should not go through the firewall at all if 192.168.x is the same x for both systems. I'd first check the netmasks/prefix-lengths of both systems.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on July 15, 2026, 10:08:43 PMThese packets should not go through the firewall at all if 192.168.x is the same x for both systems. I'd first check the netmasks/prefix-lengths of both systems.

Both OpnSense (.20 LAN) and NAS (.64) is in same net and do have same netmask in both machines.
Also the NAS has .20 as default GW and it is working. Running both from outside in to webserver (NAT) but also from inside to other Synology NAS remote.

//Dan
Best regards
Dan Lundqvist (mrzaz)

"It's better to burn up, than fade away..." (Highlander)

How many Interfaces does your NAS have ?

Usually this kind of stuff leads to A-Sync Routing issues that need to be solved...
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)