Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
[SOLVED] Firewall rules problem
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Firewall rules problem (Read 3050 times)
GaardenZwerch
Full Member
Posts: 104
Karma: 2
[SOLVED] Firewall rules problem
«
on:
September 03, 2018, 11:20:19 am »
Hi all,
this might be my own fault, or a lack of understanding on my behalf, so I apologize in advance if I am being dumb.
I do 802.1x on my switches in remote offices, and the switches talk to a radius server through an openvpn tunnel.
I have two symmetrical (floating) rules that should allow this:
radius-servers -> local switch net, accept ports 1812-1813
local switch net -> radius-servers, accept ports 1812-1813
It doesn't work, and I see in the live log that packets (udp, port 1812) are dropped from the radius servers to the switches.
When I include a third rule that allows anything from the radius to the switches, it works like a charm.
I include a screenshot of the three rules.
«
Last Edit: September 19, 2018, 01:11:56 pm by GaardenZwerch
»
Logged
GaardenZwerch
Full Member
Posts: 104
Karma: 2
Re: Firewall rules problem
«
Reply #1 on:
September 19, 2018, 01:11:42 pm »
this is somehow solved. It turned out that even with the more permissive rules, I had trouble with workstations not being able to authenticate.
This only happened on a single site, and I wasn't able to reproduce it in the lab, with identical HW.
I finally discovered that opnsense reassembled fragmented Radius Access-Challenges to long packets (1570 bytes). The switches would nevertheless log their reception but give no further error. Once a station is authenticated, the Challenges are smaller in size until it is rebooted, so it would work like a charm when 'powercycling' ports or moving cables on the switch.
Making sure no switch has jumbo frames enabled and lowering MTU to 1400 on the switch vlan finally fixed it.
Reaaaally hard to find because the results of tuning MTU and jumbo seem take some time before showing.
Frank
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
[SOLVED] Firewall rules problem