Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
default vLAn
« previous
next »
Print
Pages: [
1
]
Author
Topic: default vLAn (Read 6233 times)
cardins2u
Jr. Member
Posts: 71
Karma: 2
default vLAn
«
on:
July 10, 2018, 03:11:29 am »
@Franco,
So far I love OPNSense. Its my primary production router now. I'm working on implementing Direct Access and AUTOVPn feature of WIndows 2016.
It seem like 10.0.0.5 (DA) server is having problems communicating with Domain Controllers.
The rules are below.
IPv4 * LAN net * * * * Default allow LAN to any rule
When I use another router it can communicate just fine. THis points to firewall problem. All local traffic (such as traffic from 10.0.0.2 to 10.0.0.3 is going through 10.0.0.1 gateway and its being filter.
Am I doing something wrong?
Logged
Julien
Hero Member
Posts: 666
Karma: 33
Re: default vLAn
«
Reply #1 on:
July 11, 2018, 04:58:17 pm »
is the DA and Domain controller on different sites and the OPENSENS between them tunneling the VPN ?
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
cardins2u
Jr. Member
Posts: 71
Karma: 2
Re: default vLAn
«
Reply #2 on:
July 11, 2018, 05:44:26 pm »
its all local.
vLAN 1 (default vlan) all local. No VPN
Direct Access server try to communicate with Domain Controllers and it cannot. Its a hit and miss. Sometimes it can and sometimes it cannot.
Without OPNSense in the way and using a regular linksys router it works just fine.
So was just wondering if I'm missing anything. Is all local traffic being filter at the firewall?
Logged
franco
Administrator
Hero Member
Posts: 17473
Karma: 1587
Re: default vLAn
«
Reply #3 on:
July 11, 2018, 10:43:44 pm »
Hey cardins2u,
Hope you are doing good!
Is there maybe traffic dropped by default deny rule? It would point to "asymmetric routing", some packets reaching the firewall, others talking directly or packets reordering somehow.
You could also add a switch to the LAN port just to test... Or disable state tracking (firewall rule advanced) on the pass all rule.
Cheers,
Franco
Logged
cardins2u
Jr. Member
Posts: 71
Karma: 2
Re: default vLAn
«
Reply #4 on:
July 12, 2018, 08:32:13 am »
@franco
Attach is the firewall rules.
OPNSense in the way then Direct Access sometimes can contact 10.0.0.2 / 10.0.0.3 (domain controllers) - Direct access application on launch will sometimes shows Lost trust with domain controller.
If I take out the OPNSense and use the Unifi USG pro then that doesn't happen.
IPv4 * LAN net * * * * Default allow LAN to any rule
State Tracking -
- None -if I set this to none. It works just fine. 7 fail/10
- Sloppy -If I set this to sloppy 8 fails/10
- Keep - then direct access fail to refresh 8 fails /10 times
Note: Edited - after restart of direct acess server it happens again. took out the opnsense and just use linksys or usg pro from ubnt then it works fine . rebooted it still works......hmm
«
Last Edit: July 12, 2018, 08:34:15 am by cardins2u
»
Logged
cardins2u
Jr. Member
Posts: 71
Karma: 2
Re: default vLAn
«
Reply #5 on:
July 12, 2018, 08:36:47 am »
this is the error :
Logged
cardins2u
Jr. Member
Posts: 71
Karma: 2
Re: default vLAn
«
Reply #6 on:
July 12, 2018, 08:58:31 am »
nevermind, set to none works. FLushed state tables.
so for lan to lan traffic we should keep this stateful disable?
Logged
cardins2u
Jr. Member
Posts: 71
Karma: 2
Re: default vLAn
«
Reply #7 on:
July 12, 2018, 09:22:59 am »
@Franco
this rule below fixed it
I set LAN net to 10.0.0.6 (DA Server)
then I Set 10.0.0.6 to Lan.Net
now it works fine. Its not fast like having a low grade router *linksys or UBNT usg pro*.
theres like 2-3 second delays but I can live this this.
thanks..
if you have anymore tips or anything flying by. let me know so I can test.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
default vLAn