Help needed, SMB over Firewall rules only work one-way

[int_ar]

Hi,

I'll try to give a picture of my plan:

I have a network, seperatet in 8 VLANs. 4 of them are labeled as production, 4 as office.
Goal: I want to set up a OPNsense firewall between office and production, first with simple rules, upgrade to IDS/IPS later on the way.
The OPNSense will not serve as NAT router, the internet access is handled by another (working) OPNsense

VLAN 1, 821, 940 and 800 are labeled production
VLAN 300,316,399 and 909 are office.

I have built a OPNSense with 2x 10GB SFP+ ports
on ix0 there's a switch, serving VLAN 316 (Tagged), 399(tagged) and 909 (tagged) and 300 untagged
on ix1 there's a switch serving VLAN 821 (tagged), 940 (tagged) and 800 (tagged) and 1 untagged

The "internet OPNSense" is in VLAN1

So basic setup
WAN --> ix1 with IP 192.168.206.251/24 (upstream OPNSense Gateway is 192.168.206.253/24)
LAN --> ix0 with IP 172.23.1.1
NAT: outbound NAT is disabled

For the problem, only VLAN 1 and VLAN300 are relevant, as I do not have any more clients by the time writing.

I setup 2 VMs, one in VLAN1 and one in VLAN300 (IPs: 192.168.206.20 and 172.23.1.200)
Both with the VMs are using the OPNSense IPs as gateway.

In LAN there are the following services needed to be reached from WAN/Production
DNS on 172.23.1.10
ICMP on 172.23.1.10 (for diagnostic purposes)
SMB on 172.23.1.200
SMB on 192.168.206.20 from Office nets

So I created the following ruleset:
Interface WAN
Protocol IPv4 UDP
Source Alias for 192.168.206.20/32
Destination 172.23.1.10/32
Port: 53

Interface WAN
Protocol IPv4 ICMP
Source Alias for 192.168.206.20/32
Destination 172.23.1.10/32
Port: any

These rules work as they should, DNS querys from VLAN1 work

So I added the next rule
Interface WAN
Protocol IPv4 ICMP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: any

To check if the SMB server is reachable from VLAN1 via Ping: works
So I added the SMB rules:
Interface WAN
Protocol IPv4 TCP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 445

Interface WAN
Protocol IPv4 UDP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 137

Interface WAN
Protocol IPv4 UDP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 138

Interface WAN
Protocol IPv4 TCP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 137

Interface WAN
Protocol IPv4 TCP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 139

and
Interface WAN
Protocol IPv4 TCP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 443
for SMB over QUIC

The same ruleset is in Interface LAN with Source and destination switched.

I hope this is clear till now.

From LAN interface to WAN Interface (means: SMB from 172.23.1.200 to 192.168.206.20) works
From WAN interface to LAN Interface (means: SMB from 192.168.206.20 to 172.23.1.200 ) does not work

There are no dropped packets in the live view, so I do not really get a hint what's not working. Actually all packets show up as expected
If I deactivate the paket filter in Firewall / Settings / Advanced it works both ways.

Windows Firewall is deactivated on both sides to rule out the problem

How can I get an idea what's causing the problem?
Windows Error Reporting says: SMB share is online but not responding
On each interface the "Block private networks" setting is disabled

If there are any questions, I'll be happy to answer