OPNsense Silently Filtering QuickBooks Web Traffic

[kagbasi-wgsdac]

Good-day Folks,

I have a strange issue that I have been troubleshooting for a couple of days now, and I'm at my wits end.  Can't seem to figure it out, but all seems to be pointing to OPNsense as the possible culprit; in that, it may be silently filtering out traffic I need for a critical application on my network - QuickBooks.

My environment:

Code: [Select]

OPNsense 23.1_6-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022
I run a small network for my Church and use OPNsense as my edge router/firewall.  The problem I'm having is that certain functions inside of QuickBooks, which rely on the application being able to open a particular web application, are failing and I can't figure out why.  I've spent several hours, over multiple days, with the QuickBooks Support Team and they have not been able to resolve the problem but have repeatedly insisted that perhaps my local firewall may be blocking traffic to their cloud platform (which is hosted on Amazon AWS).  So, to test, I simply installed QuickBooks on my home PC and tried to replicate the problem.  Unfortunately for me, it worked there - confirming that their hunch was correct.  My edge firewall is, somehow, filtering out the traffic.

So to troubleshoot, did the following:

• I disabled the local Windows Firewall - no effect. 
• I created an ALLOW ALL firewall rule on the WAN interface - no effect.
• I disabled the packet filter on OPNsense - no effect.

I don't have any IPS/IDS services running on the OPNsense box, nor do I have the Sensei plugin running either.  Additionally, I ran the SysInternals Procmon utility on the PC having the issues, and I was able to capture the URLs QuickBooks is attempting to reach.  They are (1) ec2-35-161-218-244.us-west-2.compute.amazonaws.com and (2) ec2-44-239-233-20.us-west-2.compute.amazonaws.com; both of which I confirmed via the OPNsense live view firewall log, are reachable and not being filtered.

The only test I have not run yet is to physically bypass the OPNsense device and plug my core switch directly into the ISP router.  Before I do that, though, I thought I'd reach out to the community to see if anyone has run into a similar issue and could offer up some advice.  All help is greatly appreciated, please!

Screenshot showing Procmon Capture of Traffic from QuickBooks


Screenshot showing OPNsense Firewall Logs of the traffic being allowed

[cookiemonster]

It looks as healthy as it can be. Apparently https on port 443, no strange port nor strange protocol. Your garden variety traffic really.
You could do a packet capture but I'd guess it'll it only confirm the traffic is being allowed out and back in.
OS rules, antivirus and such like maybe?

[kagbasi-wgsdac]

Yep, everything checks out - so it's really throwing me for a loop.  Over 25yrs of SysAdmin experience and I thought I'd seen it all, but nope.

I did a Wireshark capture (screenshot below) and it confirms two way traffic, so doesn't look like OPNsense is blocking anything.  Hmmm

[cookiemonster]

yup, all fine and dandy there. It'd be interesting to know what you find in the end.