[SOLVED] RDP connection blocked by Default deny / state violation rule

[anant]

I have a Windows 11 client trying to connect to remote servers using RDP over a WireGuard connection (site to site). I can use a tool like tcping to probe port 3389 and it connects successfully. But when I try to connect with Remote Desktop, the connection doesn't complete. The firewall log shows the traffic from the client to the lan interface being blocked by the default rule, even though there are rules to allow the traffic.

Other computers on the same local network are able to connect to the remote servers without issue--it seems to be affecting only this one computer.

The client can connect to the remote server if I open a public IP address on the remote and connect to that, bypassing WireGuard.

The client can connect to other computers on the same subnet fine. If I try to connect to a computer on a different VLAN (different interface) it seems to sometimes work and sometimes not.

If I reboot the OPNsense device, sometimes the connection will work briefly the first time I try it, but will drop after a couple of minutes.

I have an MSS clamping rule on the WireGuard interface and I've tried reducing the MTU on the lan interface and the WireGuard interface. I've disabled UDP for RDP.

What else can I look at?

[anant]

Well it seems like this is being caused by the Killer Prioritization Engine in Intel's stupid Killer Intelligence Center. Turned that off and now everything works again.