VPN Security policies

[calbo79@hotmail.com]

I'm a network engineer and mostly use Palo Alto products. I stood up a site2site vpn with OPNsense to a Navisite DR peer yesterday. I followed the documentation offered on the website. I could see where there was traffic in the live firewall data that was being permitted over the VPN "auto built" rules that get created based on the Phase 2 described traffic. However, a ton of the same traffic was getting dropped at the LAN interface on the implicit block rule. It seemed like there was no rhyme or reason why some traffice was getting dropped at the lan interface but was being allowed on the enc0 interface. I tried adding policies on the LAN interface, also in floating, also in the vpn.. no joy... for "in" traffic that permitted the source traffic by IP to the destination subnet... the firewall acted like the policies weren't even there. I also made sure said policy changes were "saved and applied". The only traffic that would work was the policies natively created by creating the VPN. If I manually added rules they didn't work. I am wondering if anyone knows where I am going wrong.

[ky41083]

Screenshots of interface rules?