weixin_39689700
weixin_39689700
2020-12-02 14:18

FW applying "default blocking rule" ignoring existent rules and "Bypass firewall rules for traffic on the same interface"

[X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

[X] I have searched the existing issues and I'm convinced that mine is new.

Describe the bug The Firewall drops connections without any sense. Even when I have them allowed with rules or between hosts on the same interface and having "Bypass firewall rules for traffic on the same interface" activated. This is constant and I don't know what logic is following or the cause. It's totally unusable and I already brought it up from zero several times with the same rules.

Additionally, IP leases that aren't registered on DHCP are showing in FW logs. I know this is not an attack, but seems like DHCP failing. It had supplied dynamic IPs to macs that had fixed IPs, happened two days ago.

To Reproduce I don't know how to reproduce it. It simply started acting like this more and more after some upgrades. I had setup two interface groups in the past for rules across several interfaces and I migrated them to floating but it didn't help. I would gladly send my config file using a private secure channel.

Screenshots image

image

image

Relevant log files Please tell me what logs I should post and I'll gladly do

Environment OPNsense 20.7-amd64 ESXi 6.7 VM

Edit: Added a filter output. filter.log

该提问来源于开源项目:opnsense/core

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

11条回答

  • weixin_39689700 weixin_39689700 5月前

    Nope. The issue persists and it's caused by opnsense. As the issue seemed to be solved after a full network reboot, I deactivated the logs for some rules. When I went for "igmp announces" rule I noticed that plenty of those hits where still logged, so I went to reset the states and here we go, with the fw log crazy with all kinds of blocks as it was before. Letting it rest doesn't make it work again. Rebooting also doesn't make effect.

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 5月前

    These are invalid state drops: out of order packets, duplicates, interface mismatch and such. There is a lot of information on default rule drops on the forums.

    Cheers, Franco

    点赞 评论 复制链接分享
  • weixin_39689700 weixin_39689700 5月前

    But it is not limited to those packets that I screen captured. I understand what you mean, but how could be that I'm almost without network. It is randomly by device blocking some connections. Some "don't see" an internet connection alive, even when it is. I can write here from my station. NAS seems offline for some devices... It seems to me excessive. Edit: I'm Adding a FW log, I that helps to explain what you are saying to me.

    点赞 评论 复制链接分享
  • weixin_39603537 weixin_39603537 5月前

    Why so you see packets for the same network in the Firewall? Usually this is a layer2 problem

    点赞 评论 复制链接分享
  • weixin_39689700 weixin_39689700 5月前

    I only have a switch and a physical server+ISP router+Wifi AP in this network now. And I don't have any cable loops that I know. Should be only a failing switch, then. I'll replace with a brand new that I have at hand and check it.

    点赞 评论 复制链接分享
  • weixin_39603537 weixin_39603537 5月前

    Do you use bridging on Firewall?

    点赞 评论 复制链接分享
  • weixin_39689700 weixin_39689700 5月前

    The ESXi server is connected with only one lan cable (no redundancy) and it has only one vswitch with vlans configured. Opnsense is a VM on a trunk.

    点赞 评论 复制链接分享
  • weixin_39603537 weixin_39603537 5月前

    So, if neither 192.168.50.201 nor 192.168.50.203 is the IP of OPNsense, you have a problem in your Layer2 subnet, and when you use virtual AND trunk on a vswitch I'd guess it's a misconfig of ESX.

    Better to reach out at the forums as there are way many more users with such experience as here are most dev-only guys without ESX background

    点赞 评论 复制链接分享
  • weixin_39689700 weixin_39689700 5月前

    In firmware it says that there are plugins "missing" ¿?

    
    os-sensei (missing) | N/A | N/A | N/A | -- | -- | -- | -- | --
    os-sunnyvalley (missing) | 1.2 | 324B | Vendor repository for Sensei (Next Generation Firewall Extensions)
    
    

    I can't do anything about this.

    点赞 评论 复制链接分享
  • weixin_39603537 weixin_39603537 5月前

    This means you restored the config from a backup and in the new installation the packages are not installed yet.

    点赞 评论 复制链接分享
  • weixin_39603537 weixin_39603537 5月前

    Better to reach out at the forums as there are way many more users with such experience as here are most dev-only guys without ESX background

    ...

    点赞 评论 复制链接分享