Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
random denies by Default deny rule after upgrading
« previous
next »
Print
Pages: [
1
]
Author
Topic: random denies by Default deny rule after upgrading (Read 7443 times)
telskamp
Newbie
Posts: 1
Karma: 0
random denies by Default deny rule after upgrading
«
on:
May 01, 2018, 11:39:49 am »
Hey guys,
Since i have updated my opnsense to the latest stable 18.1.6 and it seems about 1/3 of all traffic headed for the internet is blocked by the default deny rule.
I have just one simple rule on my lan interface allowing everything form my lan subnet to any destination using any protocol.
2/3 of traffic hits this rule and is natted perfectly to the internet the other 1/3 just hist the default deny rule.
I cannot seem to figure out the difference in traffic that causes it. hosts on my lan are able to load most webpages and ping most ips but for to me unknown reasons some destinations are blocked by the default rule.
some logs from blocked traffic
May 1 12:21:28 filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,24069,0,DF,6,tcp,52,192.168.2.62,216.58.212.238,46327,443,0,FA,235370830,407495185,796,,nop;nop;TS
May 1 12:21:28 filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30129,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26 filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30128,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26 filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30127,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:26 filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,30126,0,DF,6,tcp,52,192.168.2.41,172.217.17.110,47157,443,0,FA,1489571558,332181077,229,,nop;nop;TS
May 1 12:21:22 filterlog: 8,,,0,em0,match,block,in,4,0x0,,64,743,0,DF,6,tcp,83,192.168.1.201,172.217.17.138,55932,443,31,PA,3166355573:3166355604,738522861,1428,,nop;nop;TS
Please let me know if you need further info
[EDIT]
After further investigation it seems only 1/3 of TCP traffic is blocked, udp and icmp is never blocked
«
Last Edit: May 01, 2018, 12:29:26 pm by telskamp
»
Logged
guest15389
Guest
Re: random denies by Default deny rule after upgrading
«
Reply #1 on:
May 03, 2018, 04:37:57 pm »
I'm assuming you didn't change it, but what's your firewall optimization setup as?
If it's TCP, it sounds like it's blocking connections based on that.
Logged
franco
Administrator
Hero Member
Posts: 17672
Karma: 1613
Re: random denies by Default deny rule after upgrading
«
Reply #2 on:
May 03, 2018, 09:13:47 pm »
Default deny means your traffic is leaking and state tracking will prevent connectivity, either through asymmetric routing (one side has no traffic) or repeated packets on the same link.
You can diagnose this by setting your default LAN allow rule to "sloppy" or "none" in state tracking under advanced options.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
random denies by Default deny rule after upgrading