default vLAn

[cardins2u]

@Franco,

So far I love OPNSense. Its my primary production router now. I'm working on implementing Direct Access and AUTOVPn feature of WIndows 2016.

It seem like 10.0.0.5 (DA) server is having problems communicating with Domain Controllers.
The rules are below.

IPv4 *   LAN net   *   *   *   *      Default allow LAN to any rule


When I use another router it can communicate just fine. THis points to firewall problem. All local traffic (such as traffic from 10.0.0.2 to 10.0.0.3 is going through 10.0.0.1 gateway and its being filter.

Am I doing something wrong?

[Julien]

is the DA and Domain controller on different sites and the OPENSENS between them tunneling the VPN ?

[cardins2u]

its all local.

vLAN 1 (default vlan) all local. No VPN
Direct Access server try to communicate with Domain Controllers and it cannot. Its a hit and miss. Sometimes it can and sometimes it cannot.

Without OPNSense in the way  and using a regular linksys router it works just fine.

So was just wondering if I'm missing anything. Is all local traffic being filter at the firewall?

[franco]

Hey cardins2u,

Hope you are doing good!

Is there maybe traffic dropped by default deny rule? It would point to "asymmetric routing", some packets reaching the firewall, others talking directly or packets reordering somehow.

You could also add a switch to the LAN port just to test... Or disable state tracking (firewall rule advanced) on the pass all rule.


Cheers,
Franco

[cardins2u]

@franco

Attach is the firewall rules.

OPNSense in the way then Direct Access sometimes can contact 10.0.0.2 / 10.0.0.3 (domain controllers) - Direct access application on launch will sometimes shows Lost trust with domain controller.

If I take out the OPNSense and use the Unifi USG pro then that doesn't happen.

      
IPv4 *   LAN net   *   *   *   *      Default allow LAN to any rule



State Tracking -
-        None -if I set this to none. It works just fine. 7 fail/10   
-        Sloppy -If I set this to sloppy  8 fails/10
-        Keep - then direct access fail to refresh 8 fails /10 times


Note: Edited - after restart of direct acess server it happens again. took out the opnsense and just use linksys or usg pro from ubnt then it works fine . rebooted it still works......hmm

[cardins2u]

this is the error :

[cardins2u]

nevermind, set to none works. FLushed state tables.

so for lan to lan traffic we should keep this stateful disable?

[cardins2u]

@Franco

this rule below fixed it

I set LAN net to 10.0.0.6 (DA Server)

then I Set 10.0.0.6 to  Lan.Net


now it works fine. Its not fast like having a low grade router *linksys or UBNT usg pro*.

theres like 2-3 second delays but I can live this this.

thanks..
if you have anymore tips or anything flying by. let me know so I can test.