randomly blocking network access from one lan to another, reboot helps

stephenw10

Hmm, Ok. Nothing else has a gateway set so I would not expect any policy routing issues to affect it. The block rule with a gateway is still invalid though. I would not expect it to do anything but I'm not sure I've ever tried so I'd remove/disable it anyway.

I assume whatever you're trying to hit in LAN_3 is covered by one of those pass rules? 192.168.3.20?

Steve

rafthebee

Okay. i have had the problem that if the PP_BASEL_VPN Gateway is down, the traffic for VPN_PP_BASEL_GROUP is then routed through the normal WANGW. But i want to make sure that no traffic is leaving the VPN_PP_BASEL_GROUP through the WANGW.
Is there an other way to do this?

Yes, i am trying to reach the samba server on 192.168.3.20. But its not only 192.168.3.20, its the whole subnet that i cannot reach when it happens.

stephenw10

If you set 'Skip rules when gateway is down' then the firewall will omit the pass rules for that source alias entirely rather than using a rule without a gateway set.
The block rule after it will then block all outbound traffic from it when the PP_BASEL_VPN Gateway is down.

That is a global setting so bare in mind how it might affect other policy routes.

Steve

rafthebee

Thanks for your answers, i will try to fix the problem by changing the rules and by setting the 'Skip rules when gateway is down' option. i will write here when i know if it helps.

rafthebee

The Problem came back.
The PP_BASEL_VPN rules have been disabled, the "Skip rules when gateway is down" option was enabled.

Is there anything i can do to investigate this problem further?

stephenw10

So you are still trying to reach the LAN3 subnet from LAN1?

There are no rules shown in that screenshot to allow it but I assume you still have them below that?

That traffic could be blocked by a floating rule. Or by Snnort/Suricata if youlre now running either.

Steve

rafthebee

yes, i am stil trying to reach LAN3 from LAN1

i have not changed any rules, only the two greyed VPN-PP-Basel_Group rules are disabled, thats the only difference

Here are my floating rules:

I am not running Snnort/Suricata

stephenw10

OK well, as before, try to connect, start a continuous ping for example, then check the state table to see where it's opening states. Is it just trying to leave the WAN? Is it opening no states?
Check the firewall log.

Steve

rafthebee

i tried pinging from LAN_1, LAN_3 and LAN_5, resulting in total packet loss everytime.
the state table does not show any related state, it is nothing showing up when i start pinging.
the firewall also does not contain anything regarding the ip address i am trying to ping or the source address i am trying to ping from.

The whole subnet is totally unreachable.
One of my services running in LAN_3 is a Telegram Bot. It is also not responding to messages.

stephenw10

Ok, so if it's not opening states anywhere then the firewall is preventing that. You don;t have rules that are allowing that traffic.

Post your full LAN_1 rules and the exact test you are using from a client on LAN_1.

Steve

AKEGEC

@rafthebee , Did your try to create a pass rule to allow LAN3 to talk LAN1? Make sure the protocol set to ANY and the rule is above other rules and don't forget to apply changes.