FW log - Live View - incorrect logging compared to rule config

[scrensen]

Hi all,

Just upgraded (Currently running OPNsense 18.1.1-amd64) and I see something weird in the new log Live View.

Attached 3 files, fw_rules.png, fw_log.png and fw_log2.png

In fw_log.png you will see:
Blocked on interface VLAN99, source 192.168.x.20 to destination 192.168.1y.y port 8880 rule description 'Allow guestnet to guestportal'

In fw_rules you see the second rule says:
Allow from source VLAN99 net to destination 192.168.1y.y port 8880 rule description 'Allow guestnet to guestportal'

So in logging it seems traffic is blocked by a rule that actually allows the traffic.

Am I missing something here ?

And to make it more strange, when I change the logging page to show 5000 lines and look for the lines in fw_log.png, I see again something strange, see fw_log2.png

Any idea?

[h4p4t3]

I have a similar effect, but (as I thought until now) that results from another problem. I have a problem with the resolving of host names, behind which there is a load balancer. But the effects I see in the log are similar: https://forum.opnsense.org/index.php?topic=7168.msg32022#msg32022

But your problem doesn't seem to be a DNS-problem.

[scrensen]

It seems similar indeed.

I see it all the time now. For all sorts of rules the Live View messes it up and showing strange results.

[JeGr]

As those are TCP Hits - how about showing the corresponding TCP Flags? It wouldn't surprise me if the blocks are a strange/bad combination of TCP flags and the passes are simple straight S/SYNs.

[scrensen]

I'm currently logging a lot which makes it a bit hard to find those lines back. I rebooted my opnsense box last night since it was unstable (all since upgrade to 18.1), and it seems OK now.

I will keep an eye on it and report back if I see this happening again