Is that to be expected in terms of what might be logged when the filtering is enabled?
Oddly, with the filtering enabled I do see DROP_INPUT for red0 for UDP when I have a VPN enabled with the VPN endpoint IP and my IP. I do not see these entries when filtering is disabled and the router is connected to the VPN endpoint.
If anyone could provide any clarification about if the above is expected, etc., would be appreciated. Just want to make sure something is not amiss if my usage happens to be an edge case that might be impacted by the RPF.
Examples of the DROP_INPUT lines that were there prior to the update:
Jun 13 14:41:31 ipfw kernel: DROP_INPUT IN=red0 OUT= MAC=XXX SRC=139.162.190.203 DST=MY ISP IP LEN=40 TOS=0x00 PREC=0x20 TTL=230 ID=64500 PROTO=TCP SPT=16174 DPT=3517 WINDOW=1024 RES=0x00 SYN URGP=0
Jun 13 14:41:32 ipfw kernel: DROP_INPUT IN=red0 OUT= MAC=XXX SRC=143.110.234.214 DST=MY ISP IP LEN=40 TOS=0x00 PREC=0x20 TTL=231 ID=58031 PROTO=TCP SPT=61953 DPT=50001 WINDOW=1024 RES=0x00 SYN URGP=0
Jun 13 14:41:44 ipfw kernel: DROP_INPUT IN=red0 OUT= MAC=XXX SRC=193.57.40.49 DST=MY ISP IP LEN=40 TOS=0x00 PREC=0x20 TTL=234 ID=37253 PROTO=TCP SPT=56119 DPT=3221 WINDOW=1024 RES=0x00 SYN URGP=0
Jun 13 14:41:49 ipfw kernel: DROP_INPUT IN=red0 OUT= MAC=XXX SRC=89.248.165.110 DST=MY ISP IP LEN=40 TOS=0x00 PREC=0x20 TTL=236 ID=15487 PROTO=TCP SPT=40032 DPT=3063 WINDOW=1024 RES=0x00 SYN URGP=0
Example of the UDP DROP_INPUT that shows up after the update that didn’t have any entries prior to the update:
Jun 15 10:33:33 ipfw kernel: DROP_INPUT IN=red0 OUT= MAC=XXX SRC=VPN ENDPOINT IP DST=MY ISP IP LEN=93 TOS=0x00 PREC=0x20 TTL=57 ID=48069 DF PROTO=UDP SPT=1194 DPT=52229 LEN=73
For asymmetric routing, not that I am aware of. Is there a way to check to see if there is anything unintentional?
The only thing that I can think of that might be related would be the VPN setup and related firewall rules but those are pretty standard as best I can tell.
The network itself is pretty simple with green (wired), blue (wireless) and red.
When the VPN is on, everything goes through it as it is enabled on the ipfire box with openvpn as a daemon with a setup file from the vpn provider.
The additional VPN firewall rules that are added to firewall.local:
For the firewall rules, for the setup guide I was following, it was suggested to put the rules in firewall.local so that was why I didn’t use the GUI.
Please note that the first set of log entries was from prior to the update so those weren’t the anomalies. As you mentioned, there are no rules for those type of entries, so they were dropped as expected.
The UDP DROP_INPUT example was what is seen after the update while all of the DROP_INPUTs that were previously seen are no longer seen (although the same attempts are coming in).
I think the issue is indeed related to OpenVPN and the reverse path filter setting.
Well, yes it makes things more complicated because it does not allow you to run “experimental” network configurations - or probably more likely: Unintended network configurations.
Traffic is supposed to flow only one way so that we can filter it in the right place. In this instance, you are masquerading all traffic I suppose - that should not trigger any problems with the RP filter unless you are doubly-using the same IP address space?!
I don’t think I know enough about your network design to say precisely what the problem is.
To my knowledge, I’m not doubly using the same IP address space, only 192.168.0.x on green and 192.168.1.x on blue and the VPN tunnel is using 10.x.x.x.
Other than the 3 firewall additions related to OpenVPN in firewall local mentioned above, a pretty simple network setup. RED, BLUE, and GREEN local setup with everything going through the VPN to the VPN provider.
All other firewall settings within the GUI are the defaults. I haven’t changed anything else related there.
Thanks for the assistance and if there is anything additional that you can think of that would be helpful for me to provide setup wise, please let me know.