OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: cardins2u on July 10, 2018, 03:11:29 am

Title: default vLAn
Post by: cardins2u on July 10, 2018, 03:11:29 am

@Franco,

So far I love OPNSense. Its my primary production router now. I'm working on implementing Direct Access and AUTOVPn feature of WIndows 2016.

It seem like 10.0.0.5 (DA) server is having problems communicating with Domain Controllers.
The rules are below.

IPv4 *   LAN net   *   *   *   *      Default allow LAN to any rule


When I use another router it can communicate just fine. THis points to firewall problem. All local traffic (such as traffic from 10.0.0.2 to 10.0.0.3 is going through 10.0.0.1 gateway and its being filter.

Am I doing something wrong?

Title: Re: default vLAn
Post by: Julien on July 11, 2018, 04:58:17 pm

is the DA and Domain controller on different sites and the OPENSENS between them tunneling the VPN ?

Title: Re: default vLAn
Post by: cardins2u on July 11, 2018, 05:44:26 pm

its all local.

vLAN 1 (default vlan) all local. No VPN
Direct Access server try to communicate with Domain Controllers and it cannot. Its a hit and miss. Sometimes it can and sometimes it cannot.

Without OPNSense in the way  and using a regular linksys router it works just fine.

So was just wondering if I'm missing anything. Is all local traffic being filter at the firewall?

Title: Re: default vLAn
Post by: franco on July 11, 2018, 10:43:44 pm

Hey cardins2u,

Hope you are doing good! :)

Is there maybe traffic dropped by default deny rule? It would point to "asymmetric routing", some packets reaching the firewall, others talking directly or packets reordering somehow.

You could also add a switch to the LAN port just to test... Or disable state tracking (firewall rule advanced) on the pass all rule.


Cheers,
Franco

Title: Re: default vLAn
Post by: cardins2u on July 12, 2018, 08:32:13 am

@franco

Attach is the firewall rules.

OPNSense in the way then Direct Access sometimes can contact 10.0.0.2 / 10.0.0.3 (domain controllers) - Direct access application on launch will sometimes shows Lost trust with domain controller.

If I take out the OPNSense and use the Unifi USG pro then that doesn't happen.

      
IPv4 *   LAN net   *   *   *   *      Default allow LAN to any rule



State Tracking -
-        None -if I set this to none. It works just fine. 7 fail/10   
-        Sloppy -If I set this to sloppy  8 fails/10
-        Keep - then direct access fail to refresh 8 fails /10 times


Note: Edited - after restart of direct acess server it happens again. took out the opnsense and just use linksys or usg pro from ubnt then it works fine . rebooted it still works......hmm

Title: Re: default vLAn
Post by: cardins2u on July 12, 2018, 08:36:47 am

this is the error :

Title: Re: default vLAn
Post by: cardins2u on July 12, 2018, 08:58:31 am

nevermind, set to none works. FLushed state tables.

so for lan to lan traffic we should keep this stateful disable?

Title: Re: default vLAn
Post by: cardins2u on July 12, 2018, 09:22:59 am

@Franco

this rule below fixed it

I set LAN net to 10.0.0.6 (DA Server)

then I Set 10.0.0.6 to  Lan.Net


now it works fine. Its not fast like having a low grade router *linksys or UBNT usg pro*.

theres like 2-3 second delays but I can live this this.

thanks..
if you have anymore tips or anything flying by. let me know so I can test.